Rejecting HTTP requests from bad actors

April 10, 2015
technology
security
wordpress

Malware authors tend to be egotistical as well as stupid. Some malware authors include their signature in the HTTP user-agent string they send. Such as “ZmEu” and “DataCha0s”. Or they do something stupid like surround the user-agent string with double-quotes (see the first RewriteCond statement below). Adding the following rules to your .htaccess file (or Apache config file) provides an inexpensive means of blocking requests from such malware. These rules catch a surprising number of malware attacks against my WordPress blog.

# Block ZmEu and other bots based on their user agent signature. Another sign
# that hackers aren't as smart as they think they are. Note the first
# condition, starting with a quote-mark, is another sign of a sloppy hacker.
# No legitimate browser or web crawler quotes the user-agent string.
RewriteCond %{HTTP_USER_AGENT} ^" [OR]
RewriteCond %{HTTP_USER_AGENT} ^PHP/5 [OR]
RewriteCond %{HTTP_USER_AGENT} =ZmEu [OR]
RewriteCond %{HTTP_USER_AGENT} =immoral [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*\stools.ua.random [OR]
RewriteCond %{HTTP_USER_AGENT} ^chroot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DataCha0s [OR]
RewriteCond %{HTTP_USER_AGENT} ^I'm\sa\smu\smu [OR]
RewriteCond %{HTTP_USER_AGENT} ^\(\)\s{ [OR]
RewriteCond %{HTTP_USER_AGENT} ^q\[ [OR]
RewriteCond %{HTTP_USER_AGENT} ^Morfeus\sFucking\sScanner
RewriteRule ^ blocked.php [NC,END,E=error-notes:blacklisted-user-agent]

See my previous article for information about the blocked.php module.