Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

8G Firewall Addon: Protect Against Rogue PHP File Attacks

Been getting hit with massive attacks on all sites. Very large VPN/proxy network. Relentless requests 24/7, thousands of requests every minute, just non-stop attacks. All URL requests targeting rogue PHP files. The attacks were weighing on precious server resources. Server held up fine but this nonsense needed to stop. So I wrote a tight little addon for my 8G Firewall. Blocks the entire attack with just a few clicks..

Related: Check out the 8G Firewall, now open for beta testing :)

Mapping the Network

In my first effort to block the endless requests for non-existent files, I mapped around 100 of the VPN/proxy IP addresses employed for the attack. From what I can tell, this wave of attacks is running on a very large network. It kept hitting my sites from new locations, and I eventually got tired (bored) of chasing around the seemingly endless supply of proxy IP addresses. So I changed it up. Instead of going after IP addresses, I started mapping the actual files that were being targeted.

Blocking the Attacks

After a few days logging and analyzing the rogue-PHP requests, I had put together a block list that was mostly complete, covering every request in the attack. And indeed, immediately after implementing the following 8G add-on, the attacks virtually stopped. Traffic and server load back to normal. Sanity restored.

I monitored things closely for a few days, keeping a close eye out for any false positives. Now a couple of months later, the 8G add-on remains in place across my sites and everything is super smooth with zero false positives (so far). If you would like to protect against the relentless Rogue PHP Files Attack. Include the following “mini firewall” addon in your site’s root .htaccess file:

# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files
<IfModule mod_rewrite.c>

	RewriteCond %{REQUEST_URI} /(_0-load|00|00212|007|00x69|01|05623ecdddd|07|08_45_27_loggo|0803|0|0aa1883c|0byte|0day|0m|0wn3d|1|2|10|100|404|911|1050804k|a|b|d|g|k|abc|admin1|adminer|ajaxcommandshell|akismet|alf4|alfa|alfa2|alfa5|alfashell|alfx|alfa4|alfav4|amad|anasslost|anassgmr|ancvxia|ande|andre|andr3a|angel|angelwhitehat|angie|anonghost|anonghostshell|an0n|an0nym0us|anoncol7|anongt|anonym0us|anonymous|anzost|ars|as|async-upload)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(b374k|beez|black|bloodsecv4|bump|byp|byp4ss|bypas|bypass|c|c22|c99|c100|cgi|changeall|cmd|con|config|configuration|cp|cpanel|cpn|css|cyber|d0mains|d4rk|dam|db|disqus|dom|drm|dz|dz0|egy|egyshell|eval|exp|exploit|exploits|f0x|file|filemanager|fm|fox|foxx|func|fx|fx0|gaza|golge)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(h4ck|h4cked|h4ntu|h4x|h4x0r|hack|hax|index1|indoxploit|info|inj3ct0r|ironshell|isko|islam|j3|jackal|jacker|jaguar|ja|jaja|jajaja|jar|java|javacpl|killer|king|ksa|l3b|ls|m1n1|madspot|madspotshell|m4r0c|marvins|mini|minishell|modules|mysql|network|newshell|newup|nkr|offline|olux|pr1v|press-this|priv|priv8|r1z|r0k|r00t|r57|readme|root)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(s|sa|sa2|sado|settings|sh3ll|shel|shell|sm|smevk|sniper|sok|sql|sql-new|ss|sym|sym403|sym404|symbpass|syml1nk|symlink|symlinkbypass|syrian_shell|system|system_log|t00|think|tmp|up|uploader|uploads|uploadfile|uploadfile1|user|v4team|vuln)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(w|w3br00t|webadmin|webr00t|webroot|whmcrack|whmcracker|whmcs|wp-|wp-ajax|ws|ws0|wso|wsoshell|ws0shell|wso25|wsoshell|up|x|xa|xccc|xd|xx|xxx|zdz|zone-h)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(admin2\.asp|alfa-shell-v4(.*)|blindshell\.c|cgishell\.pl|controller\.ashx|jaguar\.izri|perl\.alfa|xx\.pl) [NC]

	RewriteRule .* - [F,L]
	
</IfModule>

No changes are necessary. If you happen to encounter any false positives, please report them in the comments below. Or if comments are closed, you can reach me via my contact form. For further information about nG Firewall, including setup, testing, logging, and more, check out About nG Firewall.

Also, here is the changelog for this 8G addon.

nG stands for “nth generation”. So 8G refers to the 8th-generation firewall.

License & Disclaimer

The above 8G Firewall addon is open source and 100% free for all. The only requirement is that the following credit lines are included along with the code:

# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files

Other than that, it’s all yours!

Disclaimer

The 8G Firewall and its addons are provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens. So use wisely, test thoroughly, and enjoy the benefits of my work :)

Note: Like the nG Firewall, the above addon works on any website powered by Apache or Nginx. WordPress not required.
Note: nG Firewall (any version) is not required for this addon to work. The addon works with or without nG Firewall.

Changelog

Changes made to 8G “Rogue PHP File” Addon:

  • 2024/03/04 – Removes |admin from Request URI rules

Show support

I spend countless hours developing the nG Firewall and its various addons. I share my work freely and openly with the hope that it will help make the Web a more secure place for everyone.

If you benefit from my work with nG Firewall and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.

Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the nG Firewall and other awesome resources for the web-dev community.

Thank you kindly :)

Support 8G Firewall: Donate via PayPal, Stripe, or your favorite digital coin »

About the Author
Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
SAC Pro: Unlimited chats.

18 responses to “8G Firewall Addon: Protect Against Rogue PHP File Attacks”

  1. hi Jeff – where among the 8G code should this extra bit be placed?

  2. There are a couple prefixes in their that will break WordPress installs when logged in like admin|wp-ajax|async-upload, to name a few.

    • Jeff Starr 2024/02/13 10:14 am Reply

      Let me know how to repeat any false positive and I’ll update the rules asap. Note I’ve been running this addon for several months now with no issues whatsoever. But I will admit I don’t use all parts the WordPress on every site.

      • I tried it on my main site and I was blocked from accessing a number of pages in my admin area. I fixed the issue by removing admin. I noted that all of the plugin pages I could not access included admin.php in their URL strings. I do not seem to have any other issues with it.

        I have a second site with a very similar set-up and in that case, the unmodified 8G Firewall Addon causes no issues, even with the exact same plugin pages I had issues with on NLJ.

      • Jeff Starr 2024/02/19 9:31 pm

        Thanks for the feedback. I’ve been using the addon on several sites for several months with no false positives. I would guess that on the first site you mention, there is some plugin or function that is modifying default WordPress URLs, or something. If you want to share the actual false-positive URLs that you were getting, it would be useful in further diagnosis.

  3. When will 8G be out of beta?

  4. can globally introduce 8g firewall for all domains in Apache2? or only editing htaccess files manually?

  5. Running a multisite WP network, I had to remove the |settings| on 4th line of RewriteCond to being able to access /wp-admin/network/settings.php
    I also removed |admin| and |wp-ajax| and |async-upload as mentionned by someone else, which was blocking file uploads from the admin, though I didn’t investigate which combination of those last 3 had false positives when dropping any media file to /wp-admin/upload.php

    • Jeff Starr 2024/02/29 10:57 am Reply

      Hey thanks. Can you provide examples of the actual URLs that are getting blocked on Multisite? That will make it easier/possible to verify and try to resolve any issues. No need to share the domain name, just replace with example.com or whatever. Thank you FBO

      • I thought the network settings page for the super-admin located at example.com/wp-admin/network/settings.php was blocked at line 4 of RewriteCond.
        But I’ve tested again regarding images upload with 8G FIREWALL v1.3 20240222 (and last version of WordPress 6.4.3) and the good news is I can’t reproduce the initial issue (for |admin| and |wp-ajax| and |async-upload nor for |network) maybe it was the updates I did in the meantime (from WP 5.1.18, to 5.3.17, then to 6.2.4 and finaly 6.4.3) or some 1.2beta version from 8G firewall or some bad copy-pasting compliant htaccess editor, so these RewriteCond are now fine for me too and I will keep them in my htaccess file as is. Thanks for all the good job.

      • Okay great, thanks for the follow-up. Feel free to report any false positives or other feedback, questions, etc. Always glad to help.

  6. I have just tried this addon on my phpBB board and it blocks attached images (ie images uploaded to the board, not remotely linked images) Removing the addon and the images became instantly viewable.

    • Jeff Starr 2024/03/04 12:51 pm Reply

      If you can get the actual URL that is getting blocked, I will be able to resolve any false positive asap. Otherwise not much I can do, not a phpBB board user and don’t have time rn to set it up. Thanks, James.

  7. False positive: the plugin settings page of this plugin is blocked:

    /wp-admin/admin.php?page=wp-mail-smtp

    I solved it by removing admin| from the first rule.
    Happens with other settings pages also.

Leave a reply

Name and email required. Email kept private. Basic markup allowed. Please wrap any small/single-line code snippets with <code> tags. Wrap any long/multi-line snippets with <pre><code> tags. For more info, check out the Comment Policy and Privacy Policy.

Subscribe to comments on this post

Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
SAC Pro: Unlimited chats.
Thoughts
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
BF Sale! Save 40% on all Pro WordPress plugins and books w/ code FRIDAY23
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.