As evidenced from our log capture, the Brazilian script kiddies are reverse engineering and looking for vulnerabilities. Except for the bad "bold" code, some of it works:

[Thu Jun 10 08:29:13 2004] [error] [client 200.96.112.43] File does not exist: /home/fivedogs/public_html/<b>modules</themes/PH2/style/style.css
[Thu Jun 10 08:29:13 2004] [error] [client 200.96.112.43] File does not exist: /home/fivedogs/public_html/<b>modules</includes/blockscript.js
[Thu Jun 10 08:29:11 2004] [error] [client 200.96.112.43] File does not exist: /home/fivedogs/public_html/<b>modules</index.php
Forty more lines not included here

Pretty soon I will ban all of Lacnic's customers, from El Paso to the tip of South America. But I hate to see real people take a hit because of these clowns.

---------------------------------------------
NukeFind at www.nukefind.com

Your question should probably have been 'Is there anyone who has not had a visit from the Brazilian connection?'

There are vulnerabilities in some theme.php files which are not from cpgnuke.com, so they will eventually succeed.

Actually I heard a rumor they are Peruvian...

They could be any number of nationalities and just using anon proxies they have tapped into in Brazil.

Just ban direct file access in .htaccess. It IS very easy for me or anyone else to use a brazillian proxy

sorry to bring up such and old article.. but how to you direct ban file access?

in htaccess, examples,
deny from 200.11. 200.2. 200.177.

also this way,
RewriteCond %{REMOTE_ADDR} ^217.20.113.110*$ [OR]
RewriteCond %{REMOTE_ADDR} ^200.177.*$ [OR]
RewriteRule ^.*$ somefile.php [L]