Hi Recently my sites were hacked and malicious files were added, which was sending out spam emails. I cleaned up the server and removed the files. Now on one of the site I'm getting over a thousand hits a day to one of the files (which is no longer there). /checkoutHyg.php The IP's are always different but some IP's come back to visit the file at different times. The IP's vary in country. The user agent for every hit is just: Mozilla/5.0 Nothing else. I have tried putting this in my htaccess but it doesn't stop the traffic: # BLOCK USER AGENTS RewriteEngine on RewriteCond %{HTTP_USER_AGENT} Mozilla/5\.0 [NC] RewriteRule !^robots\.txt$ - [F] # BLOCK BLANK USER AGENTS RewriteCond %{HTTP_USER_AGENT} ^-?$ RewriteRule ^ - [F] Please can someone help? Thanks
<FilesMatch "^\/checkoutHyg\.php$"> Deny from All </FilesMatch> Place the above in your .htaccess file, and it should block the attempt before it invokes PHP.
Mozilla/5.0 is in so many browser user agents, it's a bad idea to block it (if you want visitors to your site). What zacharooni mentioned will stop the requests. You might want to consider installing something like Bad Behavior: http://bad-behavior.ioerror.us/about/ It won't stop you getting hacked by humans (I assume you've closed the security hole and done a thorough audit for vulnerabilities in the server/code?), but it will stop a lot of bots.
Hi What I mean by blocking that user agent is blocking it is it is exactly 'Mozilla/5.0'. so putting $ on the end. I also added the code you mentioned Is there any way of blocking it completely as I still see the POST requests in the apache log? Thanks
Well, as it's coming from multiple IPs it's not an easy one to filter. You can stop it appearing in the Apache log, but that's not what you want. Contact your host. If they are a good one then they should be able to block traffic to that URL before it hits your server. Otherwise, track down a host that can.
I think malicious file is random name. You should backup database then reinstall all script with clean source.