8G Firewall Addon: Protect Against Rogue PHP File Attacks
Been getting hit with massive attacks on all sites. Very large VPN/proxy network. Relentless requests 24/7, thousands of requests every minute, just non-stop attacks. All URL requests targeting rogue PHP files. The attacks were weighing on precious server resources. Server held up fine but this nonsense needed to stop. So I wrote a tight little addon for my 8G Firewall. Blocks the entire attack with just a few clicks..
Mapping the Network
In my first effort to block the endless requests for non-existent files, I mapped around 100 of the VPN/proxy IP addresses employed for the attack. From what I can tell, this wave of attacks is running on a very large network. It kept hitting my sites from new locations, and I eventually got tired (bored) of chasing around the seemingly endless supply of proxy IP addresses. So I changed it up. Instead of going after IP addresses, I started mapping the actual files that were being targeted.
Blocking the Attacks
After a few days logging and analyzing the rogue-PHP requests, I had put together a block list that was mostly complete, covering every request in the attack. And indeed, immediately after implementing the following 8G add-on, the attacks virtually stopped. Traffic and server load back to normal. Sanity restored.
I monitored things closely for a few days, keeping a close eye out for any false positives. Now a couple of months later, the 8G add-on remains in place across my sites and everything is super smooth with zero false positives (so far). If you would like to protect against the relentless Rogue PHP Files Attack. Include the following “mini firewall” addon in your site’s root .htaccess file:
# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} /(_0-load|00|00212|007|00x69|01|05623ecdddd|07|08_45_27_loggo|0803|0|0aa1883c|0byte|0day|0m|0wn3d|1|2|10|100|404|911|1050804k|a|b|d|g|k|abc|admin1|adminer|ajaxcommandshell|akismet|alf4|alfa|alfa2|alfa5|alfashell|alfx|alfa4|alfav4|amad|anasslost|anassgmr|ancvxia|ande|andre|andr3a|angel|angelwhitehat|angie|anonghost|anonghostshell|an0n)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(an0nym0us|anoncol7|anongt|anonym0us|anonymous|anzost|ars|as|b374k|beez|black|bloodsecv4|bump|byp|byp4ss|bypas|bypass|c|c22|c99|c100|cgi|changeall|cmd|con|config|configuration|cp|cpanel|cpn|css|cyber|d0mains|d4rk|dam|db|disqus|dom|drm|dz|dz0|egy|egyshell|eval|exp|exploit|exploits|f0x|file|filemanager|fm|fox|foxx|func|fx|fx0|gaza|golge)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(h4ck|h4cked|h4ntu|h4x|h4x0r|hack|hax|index1|indoxploit|info|inj3ct0r|ironshell|isko|islam|j3|jackal|jacker|jaguar|ja|jaja|jajaja|jar|java|javacpl|killer|king|ksa|l3b|ls|m1n1|madspot|madspotshell|m4r0c|marvins|mini|minishell|modules|mysql|network|newshell|newup|nkr|offline|olux|pr1v|press-this|priv|priv8|r1z|r0k|r00t|r57|readme|root)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(s|sa|sa2|sado|sh3ll|shel|shell|sm|smevk|sniper|sok|sql|sql-new|ss|sym|sym403|sym404|symbpass|syml1nk|symlink|symlinkbypass|syrian_shell|system|system_log|t00|think|tmp|up|uploader|uploads|uploadfile|uploadfile1|user|v4team|vuln)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(w|w3br00t|webadmin|webr00t|webroot|whmcrack|whmcracker|whmcs|wp-|ws|ws0|wso|wsoshell|ws0shell|wso25|wsoshell|up|x|xa|xccc|xd|xx|xxx|zdz|zone-h)\.php [NC,OR]
RewriteCond %{REQUEST_URI} /(admin2\.asp|alfa-shell-v4(.*)|blindshell\.c|cgishell\.pl|controller\.ashx|jaguar\.izri|perl\.alfa|xx\.pl) [NC]
RewriteRule .* - [F,L]
</IfModule>No changes are necessary. If you happen to encounter any false positives, please report them in the comments below. Or if comments are closed, you can reach me via my contact form. For further information about nG Firewall, including setup, testing, logging, and more, check out About nG Firewall.
Also, here is the changelog for this 8G addon.
License & Disclaimer
The above 8G Firewall addon is open source and 100% free for all. The only requirement is that the following credit lines are included along with the code:
# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-filesOther than that, it’s all yours!
Disclaimer
The 8G Firewall and its addons are provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens. So use wisely, test thoroughly, and enjoy the benefits of my work :)
Changelog
Changes made to 8G “Rogue PHP File” Addon:
- 2024/03/04 – Removes pattern
admin - 2024/03/05 – Removes pattern
async-upload - 2024/03/05 – Removes pattern
settings - 2024/03/05 – Removes pattern
wp-ajax - 2024/03/05 – Reorganizes some patterns
Show support
I spend countless hours developing the nG Firewall and its various addons. I share my work freely and openly with the hope that it will help make the Web a more secure place for everyone.
If you benefit from my work with nG Firewall and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.
Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the nG Firewall and other awesome resources for the web-dev community.
Thank you kindly :)
30 responses to “8G Firewall Addon: Protect Against Rogue PHP File Attacks”
OK, then I do nothing:) Thans for the answear:)