Fall Sale! Code FALL2024 takes 25% OFF our Pro Plugins & Books »
Web Dev + WordPress + Security

8G Firewall Addon: Protect Against Rogue PHP File Attacks

Been getting hit with massive attacks on all sites. Very large VPN/proxy network. Relentless requests 24/7, thousands of requests every minute, just non-stop attacks. All URL requests targeting rogue PHP files. The attacks were weighing on precious server resources. Server held up fine but this nonsense needed to stop. So I wrote a tight little addon for my 8G Firewall. Blocks the entire attack with just a few clicks..

Related: Check out the 8G Firewall, now open for beta testing :)

Mapping the Network

In my first effort to block the endless requests for non-existent files, I mapped around 100 of the VPN/proxy IP addresses employed for the attack. From what I can tell, this wave of attacks is running on a very large network. It kept hitting my sites from new locations, and I eventually got tired (bored) of chasing around the seemingly endless supply of proxy IP addresses. So I changed it up. Instead of going after IP addresses, I started mapping the actual files that were being targeted.

Blocking the Attacks

After a few days logging and analyzing the rogue-PHP requests, I had put together a block list that was mostly complete, covering every request in the attack. And indeed, immediately after implementing the following 8G add-on, the attacks virtually stopped. Traffic and server load back to normal. Sanity restored.

I monitored things closely for a few days, keeping a close eye out for any false positives. Now a couple of months later, the 8G add-on remains in place across my sites and everything is super smooth with zero false positives (so far). If you would like to protect against the relentless Rogue PHP Files Attack. Include the following “mini firewall” addon in your site’s root .htaccess file:

# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files
<IfModule mod_rewrite.c>

	RewriteCond %{REQUEST_URI} /(_0-load|00|00212|007|00x69|01|05623ecdddd|07|08_45_27_loggo|0803|0|0aa1883c|0byte|0day|0m|0wn3d|1|2|10|100|404|911|1050804k|a|b|d|g|k|abc|admin1|adminer|ajaxcommandshell|akismet|alf4|alfa|alfa2|alfa5|alfashell|alfx|alfa4|alfav4|amad|anasslost|anassgmr|ancvxia|ande|andre|andr3a|angel|angelwhitehat|angie|anonghost|anonghostshell|an0n)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(an0nym0us|anoncol7|anongt|anonym0us|anonymous|anzost|ars|as|b374k|beez|black|bloodsecv4|bump|byp|byp4ss|bypas|bypass|c|c22|c99|c100|cgi|changeall|cmd|con|config|configuration|cp|cpanel|cpn|css|cyber|d0mains|d4rk|dam|db|disqus|dom|drm|dz|dz0|egy|egyshell|eval|exp|exploit|exploits|f0x|file|filemanager|fm|fox|foxx|func|fx|fx0|gaza|golge)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(h4ck|h4cked|h4ntu|h4x|h4x0r|hack|hax|index1|indoxploit|info|inj3ct0r|ironshell|isko|islam|j3|jackal|jacker|jaguar|ja|jaja|jajaja|jar|java|javacpl|killer|king|ksa|l3b|ls|m1n1|madspot|madspotshell|m4r0c|marvins|mini|minishell|modules|mysql|network|newshell|newup|nkr|offline|olux|pr1v|press-this|priv|priv8|r1z|r0k|r00t|r57|readme|root)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(s|sa|sa2|sado|sh3ll|shel|shell|sm|smevk|sniper|sok|sql|sql-new|ss|sym|sym403|sym404|symbpass|syml1nk|symlink|symlinkbypass|syrian_shell|system|system_log|t00|think|tmp|up|uploader|uploads|uploadfile|uploadfile1|user|v4team|vuln)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(w|w3br00t|webadmin|webr00t|webroot|whmcrack|whmcracker|whmcs|wp-|ws|ws0|wso|wsoshell|ws0shell|wso25|wsoshell|up|x|xa|xccc|xd|xx|xxx|zdz|zone-h)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(admin2\.asp|alfa-shell-v4(.*)|blindshell\.c|cgishell\.pl|controller\.ashx|jaguar\.izri|perl\.alfa|xx\.pl) [NC]

	RewriteRule .* - [F,L]

</IfModule>

No changes are necessary. If you happen to encounter any false positives, please report them in the comments below. Or if comments are closed, you can reach me via my contact form. For further information about nG Firewall, including setup, testing, logging, and more, check out About nG Firewall.

Also, here is the changelog for this 8G addon.

nG stands for “nth generation”. So 8G refers to the 8th-generation firewall.

License & Disclaimer

The above 8G Firewall addon is open source and 100% free for all. The only requirement is that the following credit lines are included along with the code:

# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files

Other than that, it’s all yours!

Disclaimer

The 8G Firewall and its addons are provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens. So use wisely, test thoroughly, and enjoy the benefits of my work :)

Note: Like the nG Firewall, the above addon works on any website powered by Apache or Nginx. WordPress not required.
Note: nG Firewall (any version) is not required for this addon to work. The addon works with or without nG Firewall.

Changelog

Changes made to 8G “Rogue PHP File” Addon:

  • 2024/03/04 – Removes pattern admin
  • 2024/03/05 – Removes pattern async-upload
  • 2024/03/05 – Removes pattern settings
  • 2024/03/05 – Removes pattern wp-ajax
  • 2024/03/05 – Reorganizes some patterns

Show support

I spend countless hours developing the nG Firewall and its various addons. I share my work freely and openly with the hope that it will help make the Web a more secure place for everyone.

If you benefit from my work with nG Firewall and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.

Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the nG Firewall and other awesome resources for the web-dev community.

Thank you kindly :)

Support 8G Firewall: Donate via PayPal, Stripe, or your favorite digital coin »

About the Author
Jeff Starr = Fullstack Developer. Book Author. Teacher. Human Being.
Banhammer: Protect your WordPress site against threats.

30 responses to “8G Firewall Addon: Protect Against Rogue PHP File Attacks”

  1. hi Jeff – where among the 8G code should this extra bit be placed?

  2. There are a couple prefixes in their that will break WordPress installs when logged in like admin|wp-ajax|async-upload, to name a few.

    • Let me know how to repeat any false positive and I’ll update the rules asap. Note I’ve been running this addon for several months now with no issues whatsoever. But I will admit I don’t use all parts the WordPress on every site.

      • I tried it on my main site and I was blocked from accessing a number of pages in my admin area. I fixed the issue by removing admin. I noted that all of the plugin pages I could not access included admin.php in their URL strings. I do not seem to have any other issues with it.

        I have a second site with a very similar set-up and in that case, the unmodified 8G Firewall Addon causes no issues, even with the exact same plugin pages I had issues with on NLJ.

      • Jeff Starr 2024/02/19 9:31 pm

        Thanks for the feedback. I’ve been using the addon on several sites for several months with no false positives. I would guess that on the first site you mention, there is some plugin or function that is modifying default WordPress URLs, or something. If you want to share the actual false-positive URLs that you were getting, it would be useful in further diagnosis.

  3. When will 8G be out of beta?

  4. can globally introduce 8g firewall for all domains in Apache2? or only editing htaccess files manually?

  5. Running a multisite WP network, I had to remove the |settings| on 4th line of RewriteCond to being able to access /wp-admin/network/settings.php
    I also removed |admin| and |wp-ajax| and |async-upload as mentionned by someone else, which was blocking file uploads from the admin, though I didn’t investigate which combination of those last 3 had false positives when dropping any media file to /wp-admin/upload.php

    • Hey thanks. Can you provide examples of the actual URLs that are getting blocked on Multisite? That will make it easier/possible to verify and try to resolve any issues. No need to share the domain name, just replace with example.com or whatever. Thank you FBO

      • I thought the network settings page for the super-admin located at example.com/wp-admin/network/settings.php was blocked at line 4 of RewriteCond.
        But I’ve tested again regarding images upload with 8G FIREWALL v1.3 20240222 (and last version of WordPress 6.4.3) and the good news is I can’t reproduce the initial issue (for |admin| and |wp-ajax| and |async-upload nor for |network) maybe it was the updates I did in the meantime (from WP 5.1.18, to 5.3.17, then to 6.2.4 and finaly 6.4.3) or some 1.2beta version from 8G firewall or some bad copy-pasting compliant htaccess editor, so these RewriteCond are now fine for me too and I will keep them in my htaccess file as is. Thanks for all the good job.

      • Okay great, thanks for the follow-up. Feel free to report any false positives or other feedback, questions, etc. Always glad to help.

      • Finaly got blocked again during uploads, had to remove async-upload from POST https://www.example.com/wp-admin/async-upload.php 403 (Forbidden) And multisite again blocked for settings at URL https://example.com/wp-admin/network/settings.php

      • Just updated the addon, thanks for reporting FBO.

  6. I have just tried this addon on my phpBB board and it blocks attached images (ie images uploaded to the board, not remotely linked images) Removing the addon and the images became instantly viewable.

    • If you can get the actual URL that is getting blocked, I will be able to resolve any false positive asap. Otherwise not much I can do, not a phpBB board user and don’t have time rn to set it up. Thanks, James.

  7. False positive: the plugin settings page of this plugin is blocked:

    /wp-admin/admin.php?page=wp-mail-smtp

    I solved it by removing admin| from the first rule.
    Happens with other settings pages also.

  8. Hi Jeff, thanks for updating the rule.
    A customer reported problems while uploading a highlighted image to a woocommerce product.
    Removing “async-upload” from the first rule fixed the problem.

  9. Thanks for the 8G edition. I have copied it into my .htaccess, but as with the 7G edition, I find numerous occurences of “H00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use ‘LimitInternalRecursion’ to increase the limit if necessary. Use ‘LogLevel debug’ to get a backtrace.” in my error.log. Not having control of the server, I cannot use ‘LimitInternalRecursion’ or /LogLevel debug’. At least some result from “HEAD / HTTP/2.0”.
    Have you any advice? Thanks

    • Ask your web host for help. If they won’t provide help, find another host that will help you. Or find a web host where you can access/make changes on the server. Also if you already have not tried it, try placing the nG rules before and after any existing mod_rewrite rules. First test with before, then test with after. It doesn’t always have an effect, but it can make the difference in some cases.

  10. Hi Jeff.
    Can I use the 8G firewall rules with WordPress security plugins like WordFence and Defender Pro?
    Is that advisable?
    Thnx.

    • Jeff Starr 2024/03/25 1:43 pm

      8G is compatible with any WP plugin that is written according to standards and best practices. Lots of sites out there running 8G with other security plugins, adds an extra layer of protection.

  11. Thanks for this block list. I have added some commonly scanned PHP file names from my own sites:

    alex|alwso|apismtp|ajaxupload|bck|beez5|cachee|civicrm|cmdb|env|foxwso|ghost|goods|haxor|health-check|hello|jindex|makh|myadmin|neogeofans|new|old|ozio|phpinfo|phpmyadmin|protostar|regist|sex|sh3llx|shx|srx|upload|webconfig|webroot|wb|wikiindex|wordpress|wso|xleet|xlet|xltavrat
  12. Great, I love you:) I got BBQ Pro, saves my blog, I also had firewall. htaccess as extra security. I´ve seen a lot of requests of, ads.txt, security.txt and so on. I do not have them, still lots of requests, any idea to do about it?

    • It depends on your own strategy. Look at it this way: if you do nothing the server returns a 404 Not Found status. Or if you block the server returns a 403 Forbidden status. Either way the requests are met with basically nothing, and the server is doing the same amount of work. So it’s up to you 100%.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
Went out walking today and soaked up some sunshine. It felt good.
I have an original box/packaging for 2010 iMac if anyone wants it free let me know.
Always ask AI to cite its sources.
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Crazy that we’re almost halfway thru 2024.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.