For the last several months, I have been seeing an increasing number of 404 errors requesting “
favicon.ico” appended onto various URLs:https://perishablepress.com/press/favicon.ico
https://perishablepress.com/press/2007/06/12/favicon.ico
https://perishablepress.com/press/2007/09/25/absolute-horizontal-and-vertical-centering-via-css/favicon.ico
https://perishablepress.com/press/2007/08/01/temporary-site-redirect-for-visitors-during-site-updates/favicon.ico
https://perishablepress.com/press/2007/01/16/maximum-and-minimum-height-and-width-in-internet-explorer/favicon.ico
When these errors first began appearing in the logs several months ago, I didn’t think too much of it — “just another idiot who can’t find my site’s favicon..” As time went on, however, the frequency and variety of these misdirected requests continued to increase. A bit frustrating perhaps, but not serious enough to justify immediate action. After all, what’s the worst that can happen? The idiot might actually find the blasted thing? Wouldn’t that be nice..
But no, the 404 favicon errors just won’t go away. Last week, as I was digging through my site’s error logs, there were hundreds of these infamous favicon requests — line after line of moronic URL activity, scripted directory brachiation targeting the all-empowering favicon exploit. Give me a break. Finally, I just couldn’t deal with it any more and decided to put an end to the madness..
Pssst: it’s in the root directory
Fortunately, stopping this nonsense is relatively easy. My knee-jerk reaction was to simply block all requests for
favicon.ico:<IfModule mod_alias.c>RedirectMatch 403 favicon.ico</IfModule>
..very effective; 29 characters and problem solved. I could even add this line to my 3G Blacklist, but I don’t want to prevent direct access to my real favicon, so an alternate strategy is required. Let’s try it again, this time invoking the mind-boggling powers of Apache’s mod_rewrite:
# REDIRECT FAVICONZ
<ifmodule mod_rewrite.c>
RewriteCond %{THE_REQUEST} favicon.ico [NC]
RewriteRule (.*) http://domain.tld/favicon.ico [R=301,L]
</ifmodule>
Ahh, much better. With this code placed in your site’s root blog’s subdirectory 1 HTAccess file, all requests for your site’s
favicon.ico file will be directed to the original location, as specified in the RewriteRule. First line: check for the proper Apache module (mod_rewrite); second line: match any request for favicon.ico (regardless of casing); third line: rewrite all matched requests as http://domain.tld/favicon.ico and declare the redirect as permanent (301); last line: close the module-check container.
I have been using this code for about a week now and have seen no further 404 errors for misdirected favicon requests. Filtering out the noise from my error and access logs makes it easier to identify more serious issues.
Finally, in case you were wondering about the identity of the ruthless favicon bandit, here you go:
<Limit GET POST PUT>
order allow,deny
allow from all
deny from 65.60.102.254 "# favicon bandit zombie "
deny from 76.175.130.100 "# favicon bandit zombie "
deny from 80.219.216.247 "# favicon bandit zombie "
deny from 163.192.21.42 "# favicon bandit zombie "
deny from 203.123.182.138 "# favicon bandit zombie "
</LIMIT>
These are all coming from completely different hosts, however blocking them for the immediate future may provide some temporary relief against any other cracker nonsense (i.e., non-favicon exploits) executed through these zombie machines.
And that’s a wrap. If you are experiencing similar 404 favicon requests, I would be interested in hearing about them. As always, thank you for your generous attention :)
