Spring Sale! Save 30% on all books w/ code: PLANET24
Web Dev + WordPress + Security

Block revslider Scans

One of the most annoying, persistent scans I’ve seen in a long time are those hunting for the revslider vulnerability. In the five or so months since the exploit was discovered, many sites have been compromised. And based on what I’ve been seeing in my traffic logs, the risk is far from over. Apparently every 2-bit script kiddie and their pet hamster wants a piece of the “revslider action”.

Hour after hour, week after week, month after month, hundreds and thousands of malicious URI requests such as:

https://example.com/some-random-post/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

https://example.com/another-random-post/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

http://example.com/yet-another-post/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

http://example.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

These examples show revslider in the query string, but they also are seeking for it in the main URI request. For example:

http://example.com/wp-content/plugins/revslider/temp/update_extract/revslider/routing.php

http://example.com/tag/wp-content/plugins/revslider/js/settings.js

I’m seeing thousands of these requests and I’ve never even touched any “revslider” plugin — nothing of the sort exists anywhere on any of my sites. But the idiots just won’t stop. Nor are they clever enough to log server responses to avoid repetition and save resources (like CPU, RAM, bandwidth, and of course time). So they mindlessly keep hammering away at the same targets over and over and over..

How to block ’em

Here is what I added to my site’s root .htaccess file in to block the endless revslider scans:

# BLOCK REVSLIDER SCANS
<IfModule mod_rewrite.c>
	RewriteCond %{QUERY_STRING} revslider [NC,OR]
	RewriteCond %{REQUEST_URI} revslider [NC]
	RewriteRule .* - [F,L]
</IfModule>

Done. Test thoroughly. Note that this code will block all requests for any revslider-related resources, so probably don’t use if you are running the revslider plugin.

What’s the code doing? Well, if you re-examine the example URLs above, you’ll notice a common pattern:

...admin-ajax.php?action=revslider...

..and:

.../revslider/...

In order for dirtbags to successfully “hit” the revslider vulnerability, the “revslider” string must be included in the requested URI or the query string. That’s good news because it makes blocking all such requests quite trivial. As seen in the previous .htaccess snippet, we can match all revslider requests with two lines:

RewriteCond %{QUERY_STRING} revslider [NC,OR]
RewriteCond %{REQUEST_URI} revslider [NC]

The first directive targets revslider in the query string, while the second directive targets it in the requested URI. With Apache (.htaccess), matching against the query string is achieved via the QUERY_STRING variable. So basically the first directive tells the server:

If the request includes “revslider” anywhere in the query string, then block it with a 403 response.

Likewise for the second directive, where we use the REQUEST_URI variable to match against the requested URI. There we tell Apache:

If the request includes “revslider” anywhere in the URI, then block it with a 403 response.

These two directives are associated via the [OR] flag, which tells Apache that either match is sufficient to execute the RewriteRule. The [NC] flag is for case-insensitivity, because we don’t care if revslider requests contain capital letters or not.

Note that in this blocking technique, we are simply denying the request with a server status 403 – Forbidden, which suits the needs of most. But you can get creative with the response, here are some fun ideas.

Take home

Take home message here is that there are super scummy people out there, who couldn’t care less about you or anyone else. They will relentlessly chew up your bandwidth and resources in depraved, mindless fashion. Fortunately, in this case it is trivial to utterly stop the fools cold with a fresh slice of .htaccess.

Check out more .htaccess techniques »

Update

Here is a new and improved slab of .htaccess that blocks a LOT of pesky requests:

# BLOCK ENDLESS SCANS
<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_URI}  (mssqlil|register).php [NC,OR]
	RewriteCond %{REQUEST_URI}  (img|thumb|thumb_editor|thumbopen).php [NC,OR]
	RewriteCond %{QUERY_STRING} (img|thumb|thumb_editor|thumbopen).php [NC,OR]
	RewriteCond %{REQUEST_URI}  revslider [NC,OR]
	RewriteCond %{QUERY_STRING} revslider [NC]
	RewriteRule .* - [F,L]
</IfModule>

This will block some of the most common malicious scans, saving much bandwidth and resources. Just drop it into your root .htaccess and relax.

About the Author
Jeff Starr = Creative thinker. Passionate about free and open Web.
BBQ Pro: The fastest firewall to protect your WordPress.

5 responses to “Block revslider Scans”

  1. Hi, I’m a bit of a beginner in working with .htaccess. This is really helpful, thank you!

    Question. Is it possible to have multiple blocks of the IfModule mod_rewrite thing in a .htaccess file?

    Or should this all be packaged up in the same block?

    Thanks. Eric

    • Great question. The IfModule check can be used as many times as needed in the .htaccess file. I use over 20 of them on one of my sites. BTW the part of the code example that you had included was removed by WordPress (because of the brackets). For future reference, please wrap any code with <code> tags. Thanks!

  2. Matt McDowell 2015/06/01 2:40 pm

    Great to see posts like this again! Thanks Jeff. Down with scripter hamster scum :)

  3. That’s good tricks. May be we don’t have to be worried about this. cz RevSlider already fixed this loophole.

    • Jeff Starr 2015/06/20 1:14 pm

      You missed the point of the article. It doesn’t matter whether or not revslider is fixed or not. There was an exploit and people will forever continue to scan sites looking for it. This article explains how to block the endless scans. Nothing to do with the plugin itself.

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
SAC Pro: Unlimited chats.
Thoughts
I live right next door to the absolute loudest car in town. And the owner loves to drive it.
8G Firewall now out of beta testing, ready for use on production sites.
It's all about that ad revenue baby.
Note to self: encrypting 500 GB of data on my iMac takes around 8 hours.
Getting back into things after a bit of a break. Currently 7° F outside. Chillz.
2024 is going to make 2020 look like a vacation. Prepare accordingly.
First snow of the year :)
Newsletter
Get news, updates, deals & tips via email.
Email kept private. Easy unsubscribe anytime.