WordPress.org

Ready to get started?Download WordPress

Forums

iThemes Security (formerly Better WP Security)
[Plugin: Better WP Security] .htaccess file being corrupted | Ban Hosts (29 posts)

  1. derycka
    Member
    Posted 2 years ago #

    [ Moderator Note: Please post code or markup snippets between backticks or use the code button. Or better still - use the pastebin ]

    Better WP Build Version: 3047

    I'm encountering an apparent issue with the ban hosts functionality and the plugins interaction with the .htaccess file.

    My site is hosted via godaddy.com and a part of this package is a security vulnerability site testing service. They hit the site daily with various scripts to try and discover issues. This testing will often cause a lot of 404 errors (e.g. 2900+ in the last couple of days) to occur. During their testing the ban hosts functionality of the plugin kicks also in. The Deny rule for the offending IP address is written into the .htaccess file, but multiple times (like hundreds of times). Eventually the site breaks and you are unable to also login to Administer wordpress.

    Closer inspection of the .htaccess file...
    • the HackRepair.com Blacklist section appears to be fine. (content only appears once)
    • in the Order allow, deny section their are hundreds of entries for "Deny from 72.167.191.1". (This is one of the site scanner service hosts.)
    • As you scroll down this list of deny entries you happen upon duplicate RewriteRules and RewriteConditions - then followed by more deny entries for "Deny from 72.167.191.1". In fact, this occurs several times in the entirety of the .htaccess file. Example attached below. I can provide the .htaccess file if requested by a plugin representative.
    • My guesses only.. It appears as if the .htaccess file is being written over the top. Memory running out somewhere? Maybe the plugin can't cope with the speed at which the security server is making requests for 404 files and needing to write to the htaccess file?
    • This issue is reproducable. It has now happened three times. Prior to the third time I had added a Ban hosts wildcard of 72.167.191.*
    • My fix to date has been to rename the .htaccess file to .htaccessold and have a new one generated.

    This appears to be written over the top of data several times within the .htaccess file.

    ----------< snip >------------

    <files .htaccess>
    Order allow,deny
    Deny from all
    </files>
    
    <files readme.html>
    Order allow,deny
    Deny from all
    </files>
    
    <files readme.txt>
    Order allow,deny
    Deny from all
    </files>
    
    <files install.php>
    Order allow,deny
    Deny from all
    </files>
    
    <files wp-config.php>
    Order allow,deny
    Deny from all
    </files>
    
    <IfModule mod_rewrite.c>
    RewriteEngine On
    
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    
    RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} ^(.*)wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !^(.*)com.au.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule ^(.*)$ - [F,L]
    
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|concat|insert|union|declare).* [NC]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^(.*)$ - [F,L]
    
    </IfModule>
    
    # END Better WP Security

    http://wordpress.org/extend/plugins/better-wp-security/

  2. Hello,

    Thanks for the bug report. I've put a patch into the dev version (http://downloads.wordpress.org/plugin/better-wp-security.zip) which should take care of the issue. Please note your situation is the only one I've heard this with (most likely due to you being the only one I've known running such a test). If you could confirm this works before I release it fully I would greatly appreciate it.

  3. derycka
    Member
    Posted 1 year ago #

    Hi,

    I've allowed a fresh .htaccess file to be generated, added the patch to the live site and re-enabled the appropriate plugin settings. I'll let you know how it goes!

    Thanks!

  4. derycka
    Member
    Posted 1 year ago #

    [ Moderator Note: Please post code or markup snippets between backticks or use the code button. Or better still - use the pastebin ]

    Hi,

    Unfortunately, overnight the same issue has occurred.

    >Please note your situation is the only one I've heard this with (most likely due to you >being the only one I've known running such a test).

    My worry is that is this a vulnerability for not only me, but everyone using the plugin for a potential denial of service attack. eg. Hit a website hard enough with 404s and break it.

    Some details follow:

    .htaccess file dump attached at the end - (assuming wordpress forums allows me to post something this long).
    
    Security>>Ban Users>>Ban Hosts:
    In addition to the pre-populated half dozen IPs (including an entry 72.167.191.*) there are now multiple entries (without counting them all there's a hundred or so) for IP 72.167.191.2 - the site scanner IP that was used last night.
    
    Security>>View Logs:
    - Your database contains 0 bad login entries
    - Your database contains 622 404 errors.  (I cleared this yesterday - so this is approx. the amount that was thrown up at the site last night by the security scan.)
    - Your database contains 0 old lockouts.
    
    The following is random examples of 404 errors generated from the site scanner.
    Security>>View Logs 404 Errors:
    2012-07-14 00:13:13	/scripts/6AYQbfppHe8o.php3		1
    2012-07-14 00:13:11	/scripts/6AYQbfppHe8o.asp		1
    2012-07-14 00:13:15	/scripts/6AYQbfppHe8o.cfm		1
    2012-07-14 00:13:08	/scripts/6AYQbfppHe8o.inc		1
    2012-07-14 00:13:23	/.asp		                                1
    2012-07-14 00:13:31	/baliifun.pl?		                        1
    2012-07-14 00:13:29	/index.asp		                        1
    2012-07-14 00:13:29	/30oxtk2p.asp?		                1
    2012-07-14 00:13:29	/baliifun.aspx?		                        1
    2012-07-14 00:13:28	/default.shtm		                        1
    2012-07-14 00:13:32	/.aspx		                                1
    2012-07-14 00:13:31	/index.shtml		                        1
    2012-07-14 00:13:33	/30oxtk2p.aspx?		                1
    2012-07-14 00:13:33	/baliifun.cgi?		                        1
    2012-07-14 00:13:33	/index.html		                        1
    2012-07-14 00:13:32	/baliifun.pl?		                        1
    2012-07-14 00:13:28	/baliifun.aspx?		                        1
    2012-07-14 00:13:26	/default.php		                        1
    2012-07-14 00:13:24	/perl/		                                1
    2012-07-14 00:13:24	/baliifun.asp?		                        1
    2012-07-14 00:13:24	/default.asp		                        1

    .htaccess file dump:

    [ 768 lines of code moderated, that's just way too much. For that many lines of code please use pastebin.com instead. ]

  5. HAve you tried the dev version? It should fix the problem.

  6. derycka
    Member
    Posted 1 year ago #

    Hi,

    I've tried the dev version you provided - as described above. I replaced the existing php script with the newly supplied dev one.

    After this, the issue still occurred.

    Prior to last nights security scan test, I disabled the plugin altogether and this morning everything is fine. The site is up, the .htaccess file is untouched and exactly as it was yesterday. The issue is definitely related to Better WP Security plugin.

    For now, I've left the plugin disabled because I can't have the site going down every day.

  7. derycka
    Member
    Posted 1 year ago #

    I've just noticed that you have just publicly released version 3.4.
    Better WP Build Version: 3051

    I've just installed this and will see how it goes during this evenings security scan. I'll report the results here tomorrow morning.

    cheers,
    Deryck

  8. derycka
    Member
    Posted 1 year ago #

    For those interested, here is the security scanning service I'm subscribed to which is hitting my site daily:
    http://www.godaddy.com/security/website-security.aspx

  9. Thanks for the link, and please let me know. I would be happy to provide a fix, but so far I'm in the dark as to what exactly needs fixing.

  10. derycka
    Member
    Posted 1 year ago #

    Hi,

    - I have copied the contents of the .htaccess file into a separate textfile. This way we have a record of contents prior to tonights security scan.

    Test 1:
    - Security>>Dashboard>>Rewrite rules
    Within the plugin (latest release version) it specifies deny of 72.167.191.0/24 (as you would expect). In the live .htaccess file this is also reflected. I assume that therefore we should not see any further entries written in tonights test.

    Test 2:
    Assuming that test 1 is successful I will then on the followup "next" nights scan, remove the deny of 72.167.191.0/24, and see if the plugin will generate correctly the deny of the IP as appropriate when it receives all the 404's.

  11. derycka
    Member
    Posted 1 year ago #

    Here are the results from Test 1 overnight:

    a) The .htaccess file has had written an additional entry for 72.167.191.1.
    Deny from 72.167.191.0/24
    Deny from 72.167.191.1

    Is this intended behaviour?
    ie. 72.167.191.0/24 should cover this IP as an entry, and therefore no need to write the single IP out into the .htaccess file?

    The .htaccess file does not have hundreds of IP entries listed in it anymore which is good. So this is partially fixed?

    b) It would appear there is an additional issue lurking which has caused the website to stop functioning again. I suspect there have in fact been a couple of separate issues and this one is actually the deal breaker.

    The .htaccess file has been written to additional times - rewrite conditions, and the file ends abruptly with these and without any:
    </IfModule>
    # END Better WP Security

    I will sign up for a pastebin account and post a dump of the .httaccess file for your inspection shortly.

    It is as though the logic to go in and remove the Better WP Security component of text from within the .htaccess file (before writing a new version set) is not happening correctly. Therefore bits get left/overwritten. Not sure exactly which etc, or if your plugin does it this way, or differently such as a line compare etc.

    I think there must be an issue in there somewhere that is related to how the plugin writes out its information to .htaccess.

    Whether this is a standalone issue, or only happens under load (when it's receiving lots of 404s and also trying to check the IP addresses in the table) I don't know. Only guesses.

  12. derycka
    Member
    Posted 1 year ago #

    In addition:

    I have received a couple of hundred emails (with slightly differing lockout times) from the overnight test. This has previously happened too but did not mention to date.

    Could you add logic to the plugin so that it does not send additional emails after the first one. You could still log the lockout, just not send the additional emails...

    A host, 72.167.191.1(you can check the host at http://ip-adress.com/ip_tracer/72.167.191.1) has been locked out of the WordPress site at <snip> until Sunday, July 15th, 2012 at 2:46:36 pm UTC due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.

  13. derycka
    Member
    Posted 1 year ago #

    Below are the dumps from the .htaccess file from before and after Test 1.

    .htaccess file (before Test 1 commence)
    http://pastebin.com/ya27ZybT

    .htaccess file (after Test 1 completion)
    http://pastebin.com/1cXc1T2V

  14. derycka
    Member
    Posted 1 year ago #

    In addition:

    I've just noticed that inside the editable window box of the plugins page Security>>Ban Users>>Ban Hosts there is multiple instances of IP 72.167.191.1

    So whilst these have not been directly written out to the .htaccess file, there is multiple instances displaying within the plugin. This only happened overnight during Test 1.

  15. derycka
    Member
    Posted 1 year ago #

    Items with <snip> have been removed.

    File System Information
    
    Website Root Folder: https://<snip>.com.au/wordpress
    Document Root Path: /var/chroot/home/content/63/<snip>/html
    .htaccess File is Writable: No.
    wp-config.php File is Writable: No.
    Database Information
    
    MySQL Database Version: 5.0.92-log
    MySQL Client Version: 5.0.77
    Database Host: cod1212208151053.db.9292063.hostedresource.com
    Database Name: cod1212208151053
    Database User: cod1212208151053
    SQL Mode: Not Set
    Server Information
    
    Server / Website IP Address: <snip>
    Server Type: Apache
    Operating System: Linux
    Browser Compression Supported: gzip, deflate
    PHP Information
    
    PHP Version: 5.3.13
    PHP Memory Usage: 21.79 MB
    PHP Memory Limit: 256M
    PHP Max Upload Size: 8M
    PHP Max Post Size: 8M
    PHP Safe Mode: Off
    PHP Allow URL fopen: On
    PHP Allow URL Include: Off
    PHP Display Errors: On
    PHP Display Startup Errors: Off
    PHP Expose PHP: Off
    PHP Register Globals: Off
    PHP Max Script Execution Time: 30 Seconds
    PHP Magic Quotes GPC: On
    PHP open_basedir: Off
    PHP XML Support: Yes
    PHP IPTC Support: Yes
    PHP Exif Support: Yes ( V1.4 )
    WordPress Configuration
    
    Multisite: Multisite is NOT enabled
    WP Permalink Structure: Enabled
    Wp-config Location: /home/content/63/<snip>/html/wordpress/wp-config.php
    Better WP Security variables
    
    Hide Backend Key: Not Yet Available. Enable Hide Backend mode to generate key.
    Better WP Build Version: 3051
    Note: this is NOT the same as the version number on the plugins page and is instead used for support.
  16. kendawes
    Member
    Posted 1 year ago #

    I have run into the GoDaddy Security scanning problem on clients sites that used a different security plugin. After *a lot* of research, I accidently came across a GoDaddy document that lists the IP addresses they use to do their site scanning (BTW, they seeme to usually run it in the middle of the night)

    After denying the following IP addresses via the .htaccess file... problem resolved!

    Hope this can help someone!

    Ken

    <Limit GET POST PUT>
     Order Allow,Deny
     Allow from all
    # below denies GoDaddys website scan
     Deny from 72.167.191.1
     Deny from 72.167.191.2
     Deny from 72.167.191.3
     Deny from 72.167.191.6
     Deny from 72.167.191.7
     Deny from 72.167.191.8
     Deny from 72.167.191.11
     Deny from 72.167.191.12
     Deny from 72.167.191.13
     Deny from 72.167.191.14
     Deny from 72.167.191.15
     Deny from 72.167.191.16
     Deny from 72.167.191.17
     Deny from 72.167.191.18
     Deny from 72.167.191.19
     Deny from 72.167.191.20
     Deny from 72.167.191.10
     Deny from 72.167.191.21
     Deny from 72.167.191.22
     Deny from 72.167.191.23
     Deny from 72.167.191.24
     Deny from 72.167.191.25
     Deny from 72.167.191.26
     Deny from 97.74.139.193
     Deny from 97.74.139.194
     Deny from 97.74.139.195
    </Limit>
  17. Can you email me at info [at] bit51 [dot] com to take a look at this? This is a rather interesting and specific case that I hadn't planned on yet I would like to look at as it could be handy in the event of a DOS attack/etc.

    Thanks!

  18. derycka
    Member
    Posted 1 year ago #

    Hi Ken,

    Thanks - I didn't know about the 97.74.139.x range. The following rule (I believe) should theoretically prevent anything from the 72.167.191.x range meaning that you only need to add one line item. (Assuming you are not bothered by the .27 and up).

    Deny from 72.167.191.0/24

  19. @derycka

    I did forget to mention that listing the IP twice could happen in some situations as the list doesn't check however, if it had been written to your .htaccess initially it shouldn't have ever come up.

  20. derycka
    Member
    Posted 1 year ago #

    Update:
    - updated to v. 3.4.1 yesterday
    - ran Test 1 again overnight

    Results:
    Within the plugin section - Security>>Ban Users>>Ban Hosts
    - The box containing the IP of hosts banned listed hundreds of the same IP 72.167.191.2 (the site scanner)

    .htaccess file
    The file has become corrupted again with incorrect write behaviour. Output is here for your inspection:
    - http://pastebin.com/yRdEgqAX

    eMails
    - I received 5430 emails!! That is not a typo!

    A host, 72.167.191.2(you can check the host at http://ip-adress.com/ip_tracer/72.167.191.2) has been locked out of the WordPress site at http://<snip>.com.au until Wednesday, July 18th, 2012 at 3:11:09 pm UTC due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.

    Website
    - broken

    Logs
    - Your database contains 7368 404 errors.

    I'm going to have to permanently disable the plugin until these issues are addressed.

  21. Sorry to hear that derycka. My apologies for the frustrations it has caused you.

    For what it's worth your latest post tells me quite a bit. It appears that scanner is hitting the site so hard it is causing the plugin to try to write to .htaccess in multiple sessions at the same time. This will be fixed.

    As for the ban list, it isn't saving them multiple times from there to .htaccess as both the ban list and the .htaccess writer check for duplicates however the auto-ban does not when saving to the database. This is something else I will improve.

    Simulating a load of that nature isn't easy in a dev environment with WordPress. While it sucks I couldn't get this working yet for ya it will be fixed for future users.

  22. anieves
    Member
    Posted 1 year ago #

    I am seeing that we are repeatedly loosing theses lines in the .htaccess file:

    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    Loosing these lines causes the permalinks to fail.

  23. Thanks anieves. Is this during the auto-ban sequence, when manually saving options, or at some other point?

  24. anieves
    Member
    Posted 1 year ago #

    Not sure. We do have auto-ban enabled. I manually added the lines to the .htaccess this morning when a client complained their links were not working. I left it alone for the day, then about 6 hours later client emailed again and when I checked the .htaccess file, the lines were missing again.

  25. Thanks anieves. That does sound like autoban. Please turn the autoban feature off for the time being (then, if it still locks folks out they're changing something). I will work on a fix tomorrow and Saturday and will have it in the dev version ASAP.

  26. ilab
    Member
    Posted 1 year ago #

    Bit51 & Anieves,

    Do you guys found any solutions, as any changes made into .htaccess per above is causing 500 Error due to Permalink.

    Suggest me any solution.

  27. This should have been fixed ilab. What are your permalink settings?

  28. ilab
    Member
    Posted 1 year ago #

    No, it isn't.

    When I'm using basic .htacess setting for WordPress referred by @Anieves, it not working in conjunction with Ban (enabled or disabled) in Better WP Security Plugin.

    Just to inform you, someone continuously trying to hack my site. It's been more than 38 times(using various IPs) they tried to hack .htacess and wp-config.php files.

    But thanks to Better WP Security Plugin it locks out those IP for 3 days. I want them all to ban for all the time and want to add them in DENY List of .htaccess.

    Expecting quicker response.

  29. @ilab email me at info [at] bit51 [dot] com and we can work this out. Note that until someone wants to pay me for monitoring these forums I typically only check them twice a week.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic