Hi All,
Since yesterday my site has been bombarded with hits from servers all over the world, each hit being about ten minutes apart. They are all from legitimate ISP’s, and the only thing that they have in common is they all use Chinese as the browser language. Otherwise everything else looks pretty normal, except maybe they are using old browser versions. They just land on the homepage and depart within seconds and so far I haven’t found any other malicious activity.
I found some htaccess code to block users by browser language, but they don’t seem to be working, likely because I don’t know how to integrate them with my existing htaccess code.
##### Start -- Redirect by Language to The Honeypot -- Start #####
RewriteCond %{REQUEST_URI} !honeypot.php/
RewriteCond %{HTTP:Accept-Language} ^zhi-CN [NC,OR]
RewriteRule ^(.*)$ /honeypot.php/ [NC,L]
##### End -- Redirect by Language to The Honeypot -- End #####
And this is my existing htaccess code:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
RewriteCond %{HTTPS} off [OR,NC]
RewriteCond %{HTTP_HOST} ^www.mySite.com [NC]
RewriteRule ^(.*)$ https://mySite.com/$1 [R=301,L]
# Match any request that has index.php/ in the middle and redirect to 404
RewriteCond %{REQUEST_URI} ^/.*index\.php/.+ [NC]
RewriteRule .* - [R=404,L]
If an htaccess pro could help sort this out it would very much appreciated.
I am not a pro, but I have a ChattyG friend who is. Here is what he told me:
To block browsers using Chinese as their native language, you can add a condition to your friend’s .htaccess file that checks the Accept-Language header. Browsers usually send this header to indicate the language preferences of the user. For Chinese, the language codes typically include zh, zh-CN, zh-SG, zh-TW, zh-HK, and zh-MO.
However, it’s important to note that this method is not foolproof. Users can change their browser language settings, and some browsers might not send the Accept-Language header. Also, this approach might inadvertently block legitimate users who prefer Chinese but are not part of the problematic traffic your friend is experiencing.
All that said, here is the .htaccess code ChattyG recommends:
RewriteEngine On
#Existing conditions and rules
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/[0-9a-zA-Z_-]+$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
RewriteCond %{HTTPS} off [OR,NC]
RewriteCond %{HTTP_HOST} ^www.mySite.com [NC]
RewriteRule ^(.*)$ https://mySite.com/$1 [R=301,L]
#Match any request that has index.php/ in the middle and redirect to 404
RewriteCond %{REQUEST_URI} ^/.*index\.php/.+ [NC]
RewriteRule .* - [R=404,L]
#Block requests with Chinese language preference
RewriteCond %{HTTP:Accept-Language} ^(zh|zh-CN|zh-SG|zh-TW|zh-HK|zh-MO) [NC]
RewriteRule .* - [F,L]
Also, if you want them to be redirected to a 404 page, you will need to create one and place it in the root directory of the website. Then, update the .htaccess file by adding the following line (if the page resolves to 404.html):
@Thang This is an interesting topic. I have experienced the same issue in the past. I would be curious to know if the solution that @dave suggested works for you.
Thanks Dave! I very much appreciate your “asking for a friend” to your “ChattyG friend”.
But alas, it doesn’t seem to work, and the attack is ongoing.
They may very well be using browsers that are not sending the Accept-Language header, which may explain why they are using versions of Chrome 60 and lower. I wonder if an htaccess rule to block browser versions of Chrome below say version 100 would be possible? I have seen that is is possible to block user agents with htaccess, but not sure to what degree of targeting, such as the browser version.
Could you possibly ask your friend again for an htaccess rule that can block Chrome versions 65 and lower? That would also be much appreciated.
This attack is very strange and disconcerting - it’s my personal website and I’m a musician, so nothing very interesting to hackers one would think. Also, the visits do not show up in the “Visitors” pane in CPanel, which is very odd. I see them in my legacy “Gosquared” account, but not in Matomo where they are blocking the tracking. Also disconcerting is that the attacker can seemingly use all these legitimate hosts as a proxy at will, unless he is somehow spoofing the host IP addresses.
Blocking specific versions of a browser, like older versions of Chrome, can indeed be done using the .htaccess file. This is achieved by looking for patterns in the User-Agent string that browsers send as part of their HTTP request headers. However, it’s important to note that User-Agent strings can be spoofed, so this method might not be completely foolproof.
To block Chrome versions 65 and lower, you can add the following rules to the .htaccess file:
This rule checks the User-Agent string for Chrome versions from 10 to 65 (inclusive) and returns a 403 Forbidden response for these versions.
Regarding the attacks not showing up in the “Visitors” pane in cPanel but appearing in legacy tracking systems, it’s possible that the attackers are using methods to avoid being logged by certain analytics tools. This could be due to a variety of reasons, such as the use of scripts or methods that interfere with tracking.
If the attacks continue despite these measures, it might be worth considering additional security measures such as:
Web Application Firewall (WAF): A WAF can provide more sophisticated traffic analysis and blocking capabilities.
Consulting with Hosting Provider: They might have additional insights or tools to help mitigate these attacks.
Updating Website Security: Ensuring all software is up to date and considering additional security plugins or services.
By the way, I run most of my sites through Cloudflare; they do have bot-protection built-in, at the free level, that seems to do a great job. I had a huge issue with Russian bots attacking one of my sites a while back and was at wits-end trying to block them. One of our network guys asked why I didn’t have “Bot Fight Mode” enabled? “I don’t know…maybe because I’m not a network-guy seemed like the most plausible answer.” At any rate, I flipped the switch and presto…the bots were eliminated!
Thanks a bunch Dave! That rule does seem to work to block the attacks. I haven’t seen another attempt for over an hour. What a relief!
And since I’ve noticed a lot of bots use old chrome versions, that rule should help with that as well.
That is version 4 of ChatGPT? Good to know. I’ve been dragging my butt on getting familiar with it, but this is a great example of how useful it can be.
Many, many thanks for your help.
I thought the “Visitors” panel in Cpanel just logged all connections, but I guess there’s a way around it. Also, I don’t see the attempts in “Errors” in CPanel, where connections denied by htaccess are listed. So that’s kind of odd.I suppose the events may just not have been processed yet so will check back later.
Good to hear that Cloudfares anti-bot protection is so good. If problems persist I will have to take a look. So far just been avoiding having to learn a new level of sophistication.