dale

I keep seeing attempts to access the following files in my error log: /public_html/cgi-bin/awstats.pl /public_html/cgi-bin/awstats /xmlrpc.php /blog/xmlrpc.php /blog/xmlsrv/xmlrpc.php /blogs/xmlsrv/xmlrpc.php /drupal/xmlrpc.php /phpgroupware/xmlrpc.php /wordpress/xmlrpc.php /xmlrpc.php /xmlrpc/xmlrpc.php /xmlsrv/xmlrpc.php Always in this order, but always from a different IP address. To my untrained eye it looks like a script attempting to find vulnerable, unpatched servers in an attempt to inject executable code for who-knows-what purpose. What I've been doing is adding these folks to my "IP Deny" list via cPanel. What I'd like to do is automate this so that as soon as an attempt like this can be detected, have the IP address automatically added. Does anyone know how I might do this? I could make a fake "xmlrpc.php" file that emails me with the IP, but I don't know how to programmatically add them to my deny list. Thanks for any input on this issue.

All, I had the exact same problem with the cpanel counter script. What was odd about it was that the HTML code as supplied by the cpanel counter-maker worked when I viewed my page via IP/~username (which is how one sees their page before the DNS has propagated), but didn't work (i.e., gave the error message "Could not write to counter file...") when accessed via the URL, even after DNS propagation was complete. I dropped the ".dat" from the code snippet, as many have suggested, and now the problem is exactly reversed: It works fine when addressed as http://PIC-an-LCD.com, but not when accessed via IP/~username. Of course, this is much preferrable, as the world at large is going to find my page via the published URL. It's still a head-scratcher, though. Thanks, Dale