8G Firewall Addon: Protect Against Rogue PHP File Attacks
Been getting hit with massive attacks on all sites. Very large VPN/proxy network. Relentless requests 24/7, thousands of requests every minute, just non-stop attacks. All URL requests targeting rogue PHP files. The attacks were weighing on precious server resources. Server held up fine but this nonsense needed to stop. So I wrote a tight little addon for my 8G Firewall. Blocks the entire attack with just a few clicks..
Mapping the Network
In my first effort to block the endless requests for non-existent files, I mapped around 100 of the VPN/proxy IP addresses employed for the attack. From what I can tell, this wave of attacks is running on a very large network. It kept hitting my sites from new locations, and I eventually got tired (bored) of chasing around the seemingly endless supply of proxy IP addresses. So I changed it up. Instead of going after IP addresses, I started mapping the actual files that were being targeted.
Blocking the Attacks
After a few days logging and analyzing the rogue-PHP requests, I had put together a block list that was mostly complete, covering every request in the attack. And indeed, immediately after implementing the following 8G add-on, the attacks virtually stopped. Traffic and server load back to normal. Sanity restored.
I monitored things closely for a few days, keeping a close eye out for any false positives. Now a couple of months later, the 8G add-on remains in place across my sites and everything is super smooth with zero false positives (so far). If you would like to protect against the relentless Rogue PHP Files Attack. Include the following “mini firewall” addon in your site’s root .htaccess file:
# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} /(_0-load|00|00212|007|00x69|01|05623ecdddd|07|08_45_27_loggo|0803|0|0aa1883c|0byte|0day|0m|0wn3d|1|2|10|100|404|911|1050804k|a|b|d|g|k|abc|admin1|adminer|ajaxcommandshell|akismet|alf4|alfa|alfa2|alfa5|alfashell|alfx|alfa4|alfav4|amad|anasslost|anassgmr|ancvxia|ande|andre|andr3a|angel|angelwhitehat|angie|anonghost|anonghostshell|an0n)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(an0nym0us|anoncol7|anongt|anonym0us|anonymous|anzost|ars|as|b374k|beez|black|bloodsecv4|bump|byp|byp4ss|bypas|bypass|c|c22|c99|c100|cgi|changeall|cmd|con|config|configuration|cp|cpanel|cpn|css|cyber|d0mains|d4rk|dam|db|disqus|dom|drm|dz|dz0|egy|egyshell|eval|exp|exploit|exploits|f0x|file|filemanager|fm|fox|foxx|func|fx|fx0|gaza|golge)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(h4ck|h4cked|h4ntu|h4x|h4x0r|hack|hax|index1|indoxploit|info|inj3ct0r|ironshell|isko|islam|j3|jackal|jacker|jaguar|ja|jaja|jajaja|jar|java|javacpl|killer|king|ksa|l3b|ls|m1n1|madspot|madspotshell|m4r0c|marvins|mini|minishell|modules|mysql|network|newshell|newup|nkr|offline|olux|pr1v|press-this|priv|priv8|r1z|r0k|r00t|r57|readme|root)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(s|sa|sa2|sado|sh3ll|shel|shell|sm|smevk|sniper|sok|sql|sql-new|ss|sym|sym403|sym404|symbpass|syml1nk|symlink|symlinkbypass|syrian_shell|system|system_log|t00|think|tmp|up|uploader|uploads|uploadfile|uploadfile1|user|v4team|vuln)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(w|w3br00t|webadmin|webr00t|webroot|whmcrack|whmcracker|whmcs|wp-|ws|ws0|wso|wsoshell|ws0shell|wso25|wsoshell|up|x|xa|xccc|xd|xx|xxx|zdz|zone-h)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(admin2\.asp|alfa-shell-v4(.*)|blindshell\.c|cgishell\.pl|controller\.ashx|jaguar\.izri|perl\.alfa|xx\.pl) [NC]
RewriteRule .* - [F,L]
</IfModule>No changes are necessary. If you happen to encounter any false positives, please report them in the comments below. Or if comments are closed, you can reach me via my contact form. For further information about nG Firewall, including setup, testing, logging, and more, check out About nG Firewall.
Also, here is the changelog for this 8G addon.
License & Disclaimer
The above 8G Firewall addon is open source and 100% free for all. The only requirement is that the following credit lines are included along with the code:
# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-filesOther than that, it’s all yours!
Disclaimer
The 8G Firewall and its addons are provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens. So use wisely, test thoroughly, and enjoy the benefits of my work :)
Changelog
Changes made to 8G “Rogue PHP File” Addon:
- 2024/03/04 – Removes pattern
admin - 2024/03/05 – Removes pattern
async-upload - 2024/03/05 – Removes pattern
settings - 2024/03/05 – Removes pattern
wp-ajax - 2024/03/05 – Reorganizes some patterns
Show support
I spend countless hours developing the nG Firewall and its various addons. I share my work freely and openly with the hope that it will help make the Web a more secure place for everyone.
If you benefit from my work with nG Firewall and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.
Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the nG Firewall and other awesome resources for the web-dev community.
Thank you kindly :)
30 responses to “8G Firewall Addon: Protect Against Rogue PHP File Attacks”
hi Jeff – where among the 8G code should this extra bit be placed?
Before or after should not matter. Test by requesting any of the
.phpfile names.There are a couple prefixes in their that will break WordPress installs when logged in like admin|wp-ajax|async-upload, to name a few.
Let me know how to repeat any false positive and I’ll update the rules asap. Note I’ve been running this addon for several months now with no issues whatsoever. But I will admit I don’t use all parts the WordPress on every site.
I tried it on my main site and I was blocked from accessing a number of pages in my admin area. I fixed the issue by removing admin. I noted that all of the plugin pages I could not access included admin.php in their URL strings. I do not seem to have any other issues with it.
I have a second site with a very similar set-up and in that case, the unmodified 8G Firewall Addon causes no issues, even with the exact same plugin pages I had issues with on NLJ.
Thanks for the feedback. I’ve been using the addon on several sites for several months with no false positives. I would guess that on the first site you mention, there is some plugin or function that is modifying default WordPress URLs, or something. If you want to share the actual false-positive URLs that you were getting, it would be useful in further diagnosis.
When will 8G be out of beta?
Within the next few days, big update coming :)
can globally introduce 8g firewall for all domains in Apache2? or only editing htaccess files manually?
It can be added either way, via Apache config or local .htaccess file.
Running a multisite WP network, I had to remove the |settings| on 4th line of RewriteCond to being able to access /wp-admin/network/settings.php
I also removed |admin| and |wp-ajax| and |async-upload as mentionned by someone else, which was blocking file uploads from the admin, though I didn’t investigate which combination of those last 3 had false positives when dropping any media file to /wp-admin/upload.php
Hey thanks. Can you provide examples of the actual URLs that are getting blocked on Multisite? That will make it easier/possible to verify and try to resolve any issues. No need to share the domain name, just replace with example.com or whatever. Thank you FBO
I thought the network settings page for the super-admin located at example.com/wp-admin/network/settings.php was blocked at line 4 of RewriteCond.
But I’ve tested again regarding images upload with 8G FIREWALL v1.3 20240222 (and last version of WordPress 6.4.3) and the good news is I can’t reproduce the initial issue (for |admin| and |wp-ajax| and |async-upload nor for |network) maybe it was the updates I did in the meantime (from WP 5.1.18, to 5.3.17, then to 6.2.4 and finaly 6.4.3) or some 1.2beta version from 8G firewall or some bad copy-pasting compliant htaccess editor, so these RewriteCond are now fine for me too and I will keep them in my htaccess file as is. Thanks for all the good job.
Okay great, thanks for the follow-up. Feel free to report any false positives or other feedback, questions, etc. Always glad to help.
Finaly got blocked again during uploads, had to remove
async-uploadfromPOST https://www.example.com/wp-admin/async-upload.php 403 (Forbidden)And multisite again blocked forsettingsat URLhttps://example.com/wp-admin/network/settings.phpJust updated the addon, thanks for reporting FBO.
I have just tried this addon on my phpBB board and it blocks attached images (ie images uploaded to the board, not remotely linked images) Removing the addon and the images became instantly viewable.
If you can get the actual URL that is getting blocked, I will be able to resolve any false positive asap. Otherwise not much I can do, not a phpBB board user and don’t have time rn to set it up. Thanks, James.
False positive: the plugin settings page of this plugin is blocked:
/wp-admin/admin.php?page=wp-mail-smtpI solved it by removing
admin|from the first rule.Happens with other settings pages also.
Yep got it. Will push an update later today or tomorrow. Thanks, hleen.
Hi Jeff, thanks for updating the rule.
A customer reported problems while uploading a highlighted image to a woocommerce product.
Removing “async-upload” from the first rule fixed the problem.
You are very welcome, hleen. And yes removed
async-uploada couple of days ago, check the changelog for details.Thanks for the 8G edition. I have copied it into my .htaccess, but as with the 7G edition, I find numerous occurences of “H00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace.” in my error.log. Not having control of the server, I cannot use ‘LimitInternalRecursion’ or /LogLevel debug’. At least some result from “HEAD / HTTP/2.0”.
Have you any advice? Thanks
Ask your web host for help. If they won’t provide help, find another host that will help you. Or find a web host where you can access/make changes on the server. Also if you already have not tried it, try placing the nG rules before and after any existing mod_rewrite rules. First test with before, then test with after. It doesn’t always have an effect, but it can make the difference in some cases.
Hi Jeff.
Can I use the 8G firewall rules with WordPress security plugins like WordFence and Defender Pro?
Is that advisable?
Thnx.
8G is compatible with any WP plugin that is written according to standards and best practices. Lots of sites out there running 8G with other security plugins, adds an extra layer of protection.
Thanks for this block list. I have added some commonly scanned PHP file names from my own sites:
Great, I love you:) I got BBQ Pro, saves my blog, I also had firewall. htaccess as extra security. I´ve seen a lot of requests of, ads.txt, security.txt and so on. I do not have them, still lots of requests, any idea to do about it?
It depends on your own strategy. Look at it this way: if you do nothing the server returns a 404 Not Found status. Or if you block the server returns a 403 Forbidden status. Either way the requests are met with basically nothing, and the server is doing the same amount of work. So it’s up to you 100%.