1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 10:50 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

htaccess file interfering with vbulletin

         

josh3427

5:48 pm on Jun 27, 2011 (gmt 0)

10+ Year Member



I'm having a terrible time trying to figure this out. I was recently "hacked" and I have a new .htaccess file that is supposed to stop that from happening again. However, the file is interfering with my vBulletin installation in some way. I verified this by temporarily deleting most of the file and everything was working as it was supposed to. There are a number of problems with vBulletin, here are a few for reference in case it helps point to the underlying problem. My assumption is that something in the .htaccess is denying vBulletin access to javascript files? Honestly, I'm at a loss.

1. The "Reply with quote" button hangs forever if you click it. You can click it a second time and it will work by taking you to the "go advanced" reply screen so if you do accidentally or purposefully click it, just click it a second time.

2. Smilies don't seem to be displaying properly in Firefox when you try to add them, either in the quick reply or advanced reply mode. If you'd like to continue using them, you can switch the editor to the "standard editor" and it should work by inserting the appropriate smiley code into your post. To do this, go to [easywdw.com...] scroll down near the bottom to "miscellaneous options" and select "Standard Editor - Extra formatting controls." Then scroll to the bottom and select "Save changes." This isn't an issue I don't think with Internet Explorer, but the fix will still work if it is.

3. In Firefox, if you type something into the quick reply box and then hit "go advanced" the text you typed may not show up in the advanced reply box. However, what you typed will be shown above the edit box. You can copy/paste the text from above into the advanced edit box. I would suggest going straight to the advanced reply box if you're planning to use that.

Here is the contents of the htaccess file:

## RewriteEngine enabled
RewriteEngine On

# If the request contains /proc/self/environ
RewriteCond %{QUERY_STRING} proc\/self\/environ [OR]
# Legacy configuration variable injection
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_decode stuff to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Instead of using 403, we'd better use 404 (Not Found) to confuse hackers
RewriteRule ^(.*)$ index.php [R=404,L]

## File injection protection
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]\=http:\/\/(.*)
RewriteRule ^(.*)$ - [R=404,L]


## SQLi first line of defense
## May cause problems on legitimate requests
RewriteCond %{QUERY_STRING} concat.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*select.*\( [NC,OR]
RewriteCond %{QUERY_STRING} union.*all.*select.* [NC]
RewriteRule ^(.*)$ - [R=404,L]


## Common hacking tools and bandwidth hoggers block

# The following rules are for common hacking tools:
SetEnvIf user-agent "Indy Library" stayout=1
SetEnvIf user-agent "libwww-perl" stayout=1
SetEnvIf user-agent "Wget" stayout=1
# The following rules are for bandwidth-hogging download tools
SetEnvIf user-agent "Download Demon" stayout=1
SetEnvIf user-agent "GetRight" stayout=1
SetEnvIf user-agent "GetWeb!" stayout=1
SetEnvIf user-agent "Go!Zilla" stayout=1
SetEnvIf user-agent "Go-Ahead-Got-It" stayout=1
SetEnvIf user-agent "GrabNet" stayout=1
SetEnvIf user-agent "TurnitinBot" stayout=1
# This line denies access to all of the above tools
deny from env=stayout


### Add handlers - Breaks themes
#AddHandler php-cgi .php .inc
#AddType 'text/html; charset=UTF-8' .html
#AddType text/plain .ini .sh .bsh .bash .awk .nawk .gawk .csh .var .c .in .h .asc .md5 .sha .sha1
#RewriteCond %{REQUEST_FILENAME} !-f # Existing File
#RewriteCond %{REQUEST_FILENAME} !-d # Existing Directory
#RewriteRule . /index.php [L]

## Denies any direct request for files in wp-content ending in .php with a 403 Forbidden (may break plugins/themes)
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-content/.*$ [NC]
RewriteCond %{REQUEST_FILENAME} !^.+flexible-upload-wp25js.php$
RewriteCond %{REQUEST_FILENAME} ^.+\.(php|html|htm|txt)$
RewriteRule .* - [F,NS,L]

## Denies any direct request for files wp-includes ending in .php with a 403 Forbidden
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /wp-includes/.*$ [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /wp-includes/js/.+/.+\ HTTP/ [NC]
RewriteCond %{REQUEST_FILENAME} ^.+\.php$
RewriteRule .* - [F,NS,L]

## Blocks some common exploits with a 403 Forbidden
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

## Denies any POST attempt made to a non-existing wp-comments-post.php
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*/wp-comments-post\.php.*\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]

## Denies any request for a URL containg characters other than "a-zA-Z0-9.+/-?=&"
#RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
#RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
#RewriteRule .* - [F,NS,L]

## Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

## Denies exploit using bogus graphics (.jpg that's really .php code)
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]

# Use PHP5 as default
AddHandler application/x-httpd-php5 .php
AddHandler fcgid-script php cgi fcgi

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

RewriteCond %{HTTP_HOST} ^example\.com$ [NC]
RewriteRule ^(.*)$ http://www.example.com/$1 [R=301,L]

g1smd

6:22 pm on Jun 27, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The main problem is you have redirects listed after rewrites. This exposes the rewritten pointer back out on to the web as a new URL.

There are many problems with your code.

[F,NS,L] should be just [F].

RewriteEngine On should be first and stated only once.

Where a pattern ends in exactly .*$ delete the .*$ to speed up the rule. There's no point in mod_rewrite parsing the rest of the request only to do nothing with the data.

Where a pattern ends in exactly 
(.*)$
AND the backreference is not being used in the rule target, delete the 
(.*)$
from the pattern to speed up the rule.

Where you use .* in the MIDDLE of a pattern, it is completely the wrong thing to do. Where that is supposed to match the "filename" part of the URL for example, use ([^/.]+) instead. This says "read everything until the next slash or period". It runs a LOT faster. There are many places where .* should be replaced with something else.

The rule order is incorrect. The general order should be blocks, redirects, rewrites. Within each section, the rules should be ordered from most specific to most general.

josh3427

6:33 pm on Jun 27, 2011 (gmt 0)

10+ Year Member



I'm sorry, I understand very little of that. I didn't create the file, it was just given to me as part of the "hack cleaning" service I purchased. Do you know of a tutorial that would explain how to reorder the blocks, redirects, and rewrites or what to do with all of the .* throughout?

lucy24

8:51 pm on Jun 27, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



For the part about .*, see adjoining post in this Forum. (g1 probably has a macro. I haven't made one yet ;))

Bookmark this page [httpd.apache.org]. You will need to go elsewhere to learn the basics of RegEx; there are lots of sites so look around and find one that seems to be written for your level, whatever that may be.

josh3427

12:19 am on Jun 28, 2011 (gmt 0)

10+ Year Member



I don't know if it's too much to ask, but if you can run it through something that will fix it or you have the expertise to fix it in a couple of minutes, I would really appreciate it. I'm really frustrated after getting hacked and piecing the site back together and it would take me hours and hours I'm sure to figure out what to change.

josh3427

12:55 am on Jun 29, 2011 (gmt 0)

10+ Year Member



Okay, the problem is one of these commands:

RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|inse rt|union|declare|drop|delete|create|alter|update|o rder|char|set|cast|convert|meta|script|truncate).* [NC]
# RewriteRule ^(.*)$ - [F,L]

--------------------------------------------------------

Can anyone identify which one would cause a vBulletin forum to not display properly?

SevenCubed

1:28 am on Jun 29, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Josh I only know the basics of this stuff, not enough to tackle the problem outright, but until someone else has time to jump in here I noticed there is a space in between the word "order"

create|alter|update|o rder|char|set|cast|convert

Maybe check that out in the meantime if it's not just a typo in your posting of it.

josh3427

1:38 am on Jun 29, 2011 (gmt 0)

10+ Year Member



Thanks for the reply, on my screen for some reason there is an unusual space in "insert" but there aren't any errors in the original file.

josh3427

2:51 am on Jun 29, 2011 (gmt 0)

10+ Year Member



I have no clue. I just commented them all out one by one and the only one that had an effect was RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] and it caused the whole site to "not be found."

If I comment out RewriteRule ^(.*)$ - [F,L] then the forum works perfectly as it should.

lucy24

3:21 am on Jun 29, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Hm, same here. The lines break at "inse rt" and "o rder" and, unless the Forums changed their long-line code within the last few days, you can't blame them.

It's not a zero-width space issue. Pasted into text editor to verify: it's a perfectly normal %20 space.

If you delete the pipes but keep the parentheses, each unwelcome space comes after a set of exactly 42 characters. But now we're getting into grasping-at-straws territory. (If you added one more term after "truncate", would it break after its second letter?)

And I'm positive someone somewhere said something about the ^.* (and possibly .*?) sequence ;)


Edit: Aack! Useful to know, but can you or the nearest passing moderator now put the spaces back?!

[edited by: lucy24 at 3:22 am (utc) on Jun 29, 2011]

SevenCubed

3:22 am on Jun 29, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Here is a link to a thread within this forum [webmasterworld.com...]

#4175811 within that thread by jdMorgan is the best source of info that I am aware of for what you need. You'll need to pick it apart to suite your own needs. It is thorough and very well commented.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 10:50 pm May 1, 2026