Super Plugin Sale! Your Choice: BOGO or 30% Off »
Web Dev + WordPress + Security

8G Firewall Addon: Protect Against Rogue PHP File Attacks

Been getting hit with massive attacks on all sites. Very large VPN/proxy network. Relentless requests 24/7, thousands of requests every minute, just non-stop attacks. All URL requests targeting rogue PHP files. The attacks were weighing on precious server resources. Server held up fine but this nonsense needed to stop. So I wrote a tight little addon for my 8G Firewall. Blocks the entire attack with just a few clicks..

Related: Check out the 8G Firewall, now open for beta testing :)

Mapping the Network

In my first effort to block the endless requests for non-existent files, I mapped around 100 of the VPN/proxy IP addresses employed for the attack. From what I can tell, this wave of attacks is running on a very large network. It kept hitting my sites from new locations, and I eventually got tired (bored) of chasing around the seemingly endless supply of proxy IP addresses. So I changed it up. Instead of going after IP addresses, I started mapping the actual files that were being targeted.

Blocking the Attacks

After a few days logging and analyzing the rogue-PHP requests, I had put together a block list that was mostly complete, covering every request in the attack. And indeed, immediately after implementing the following 8G add-on, the attacks virtually stopped. Traffic and server load back to normal. Sanity restored.

I monitored things closely for a few days, keeping a close eye out for any false positives. Now a couple of months later, the 8G add-on remains in place across my sites and everything is super smooth with zero false positives (so far). If you would like to protect against the relentless Rogue PHP Files Attack. Include the following “mini firewall” addon in your site’s root .htaccess file:

# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files
<IfModule mod_rewrite.c>

	RewriteCond %{REQUEST_URI} /(_0-load|00|00212|007|00x69|01|05623ecdddd|07|08_45_27_loggo|0803|0|0aa1883c|0byte|0day|0m|0wn3d|1|2|10|100|404|911|1050804k|a|b|d|g|k|abc|admin1|adminer|ajaxcommandshell|akismet|alf4|alfa|alfa2|alfa5|alfashell|alfx|alfa4|alfav4|amad|anasslost|anassgmr|ancvxia|ande|andre|andr3a|angel|angelwhitehat|angie|anonghost|anonghostshell|an0n)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(an0nym0us|anoncol7|anongt|anonym0us|anonymous|anzost|ars|as|b374k|beez|black|bloodsecv4|bump|byp|byp4ss|bypas|bypass|c|c22|c99|c100|cgi|changeall|cmd|con|config|configuration|cp|cpanel|cpn|css|cyber|d0mains|d4rk|dam|db|disqus|dom|drm|dz|dz0|egy|egyshell|eval|exp|exploit|exploits|f0x|file|filemanager|fm|fox|foxx|func|fx|fx0|gaza|golge)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(h4ck|h4cked|h4ntu|h4x|h4x0r|hack|hax|index1|indoxploit|info|inj3ct0r|ironshell|isko|islam|j3|jackal|jacker|jaguar|ja|jaja|jajaja|jar|java|javacpl|killer|king|ksa|l3b|ls|m1n1|madspot|madspotshell|m4r0c|marvins|mini|minishell|modules|mysql|network|newshell|newup|nkr|offline|olux|pr1v|press-this|priv|priv8|r1z|r0k|r00t|r57|readme|root)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(s|sa|sa2|sado|sh3ll|shel|shell|sm|smevk|sniper|sok|sql|sql-new|ss|sym|sym403|sym404|symbpass|syml1nk|symlink|symlinkbypass|syrian_shell|system|system_log|t00|think|tmp|up|uploader|uploads|uploadfile|uploadfile1|user|v4team|vuln)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(w|w3br00t|webadmin|webr00t|webroot|whmcrack|whmcracker|whmcs|wp-|ws|ws0|wso|wsoshell|ws0shell|wso25|wsoshell|up|x|xa|xccc|xd|xx|xxx|zdz|zone-h)\.php [NC,OR]
	RewriteCond %{REQUEST_URI} /(admin2\.asp|alfa-shell-v4(.*)|blindshell\.c|cgishell\.pl|controller\.ashx|jaguar\.izri|perl\.alfa|xx\.pl) [NC]

	RewriteRule .* - [F,L]

</IfModule>

No changes are necessary. If you happen to encounter any false positives, please report them in the comments below. Or if comments are closed, you can reach me via my contact form. For further information about nG Firewall, including setup, testing, logging, and more, check out About nG Firewall.

Also, here is the changelog for this 8G addon.

nG stands for “nth generation”. So 8G refers to the 8th-generation firewall.

License & Disclaimer

The above 8G Firewall addon is open source and 100% free for all. The only requirement is that the following credit lines are included along with the code:

# 8G FIREWALL:[ROGUE PHP FILES]
# https://m0n.co/8g-addon-rogue-php-files

Other than that, it’s all yours!

Disclaimer

The 8G Firewall and its addons are provided “as-is”, with the intention of helping people protect their sites against bad requests and other malicious activity. The code is open and free to use and modify as long as the first two credit lines remain intact. By using this code you assume all risk and responsibility for anything that happens. So use wisely, test thoroughly, and enjoy the benefits of my work :)

Note: Like the nG Firewall, the above addon works on any website powered by Apache or Nginx. WordPress not required.
Note: nG Firewall (any version) is not required for this addon to work. The addon works with or without nG Firewall.

Changelog

Changes made to 8G “Rogue PHP File” Addon:

  • 2024/03/04 – Removes pattern admin
  • 2024/03/05 – Removes pattern async-upload
  • 2024/03/05 – Removes pattern settings
  • 2024/03/05 – Removes pattern wp-ajax
  • 2024/03/05 – Reorganizes some patterns

Show support

I spend countless hours developing the nG Firewall and its various addons. I share my work freely and openly with the hope that it will help make the Web a more secure place for everyone.

If you benefit from my work with nG Firewall and would like to show support, consider buying one of my books, such as .htaccess made easy. You’ll get a complete guide to .htaccess, exclusive forum access, and a ton of awesome techniques for configuring, optimizing, and securing your site.

Of course, tweets, likes, links, and shares are super helpful and very much appreciated. Your generous support allows me to continue developing the nG Firewall and other awesome resources for the web-dev community.

Thank you kindly :)

Support 8G Firewall: Donate via PayPal, Stripe, or your favorite digital coin »

About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
The Tao of WordPress: Master the art of WordPress.

30 responses to “8G Firewall Addon: Protect Against Rogue PHP File Attacks”

  1. OK, then I do nothing:) Thans for the answear:)

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Wizard’s SQL for WordPress: Over 300+ recipes! Check the Demo »
Thoughts
All free plugins updated and ready for WP 6.6 dropping next week. Pro plugin updates in the works also complete :)
99% of video thumbnail/previews are pure cringe. Goofy faces = Clickbait.
RIP ICQ
Crazy that we’re almost halfway thru 2024.
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.