500 Internal Server Error

The problem! You guys jacked up the .htaccess file with all this bullshit! Site popped right back online once this garbage was removed!

# Created by 6Scan plugin

#Those are used by 6Scan Gateway

SetEnv SIXSCAN_HTACCESS_VERSION 1

SetEnv SIXSCAN_WP_BASEDIR /

#don’t show directory listing and apache information

ServerSignature Off

<IfModule mod_rewrite.c>

RewriteEngine On

#avoid direct access to the 6scan-gate.php file

RewriteCond %{ENV:REDIRECT_sixscaninternal} !^accessgranted$

RewriteCond %{ENV:sixscaninternal} !^accessgranted$

RewriteCond %{REQUEST_URI} 6scan-gate\.php$

RewriteRule ^(.*)$ – [F]

#This is not really a must, but speeds things up a bit

RewriteRule ^6scan-gate\.php$ – [L]

#Patrol’s IPs needs access, to check whether rules update is required
RewriteCond %{REMOTE_ADDR} ^108\.59\.1\.37$ [OR]
RewriteCond %{REMOTE_ADDR} ^108\.59\.5\.197$ [OR]
RewriteCond %{REMOTE_ADDR} ^108\.59\.2\.209$ [OR]
RewriteCond %{REMOTE_ADDR} ^95\.211\.58\.114$ [OR]
RewriteCond %{REMOTE_ADDR} ^95\.211\.70\.82$ [OR]
RewriteCond %{REMOTE_ADDR} ^107\.22\.183\.61$ [OR]
RewriteCond %{REMOTE_ADDR} ^78\.47\.11\.131$ [OR]
RewriteCond %{REMOTE_ADDR} ^199\.115\.112\.90$ [OR]
RewriteCond %{REMOTE_ADDR} ^192\.96\.201\.13$
RewriteRule ^(.*)$ – [S=6]

#Broad-spectrum protection: User agent/referrer injections. XSS,RFI and SQLI prevention

RewriteCond %{REQUEST_METHOD} ^(OPTIONS|PUT|DELETE|TRACE|CONNECT|PATCH|TRACK|DEBUG) [NC]
RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanstrangerequest:1] –

RewriteCond %{QUERY_STRING} (http(s)?(:|%3A)(/|%2F)(/|%2F)|ftp(:|%3A)(/|%2F)(/|%2F)|zlib(:|%3A)|bzip2(:|%3A)) [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafrfi:1] –

RewriteCond %{REQUEST_METHOD} ^(POST) [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^(WordPress\/[\d.]+;\s+)?https?://(www.)?domain\.com [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafcsrf:1] –

RewriteCond %{QUERY_STRING} (<|%3c).*(script|iframe|src).*(>|%3e) [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafxss:1] –

RewriteCond %{QUERY_STRING} union.*select [NC,OR]

RewriteCond %{QUERY_STRING} (concat|delete|right|ascii|left|mid|version|substring|extractvalue|benchmark|load_file).*\(.*\) [NC,OR]

RewriteCond %{QUERY_STRING} (into.*outfile) [NC,OR]

RewriteCond %{QUERY_STRING} (having.*–) [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafsqli:1] –

RewriteCond %{REQUEST_URI} ^/just/a/random/dir/to/avoid/htaccess/mixups\.php
RewriteRule .* /6scan-gate.php [E=sixscaninternal:accessgranted,L]
</IfModule>

# End of 6Scan plugin

Also manually removed 6scan-gate.php and 6scan-signature.php from my root folder! What a crock of crap.

Has your code been injected anywhere else that isn’t visible?

Hi DDCoating,

The files you mention are required in order to allow our scan to complete successfully without having other plugins (such as caching plugins) interfere with it. They are also used later on to help you fix the problems found by the scan.

These files are not intended to interfere with proper site operation, and have been tested on tens of thousands of sites successfully. If you were having a problem, I would greatly appreciate it if you could send your site URL and any other details to us at [email protected] – we’d like to investigate and understand why that could have happened.

Thanks.

I’ll pass on sending you more info since I was able to remove the files and recover the site on my own.

But perhaps you can answer why today, two weeks after removing the plugin, I’m still generating 404 errors in my logs to pages that were related to the plugin and the IP generating the errors traces back to 6scan.com? What is it you’re looking for and why are you still trying to connect to our site?

Host: 198.7.62.83 – zeratul.6scan.com
/wp-content/plugins/6scan-protection/modules/signatures/notice.php?nonce=427&upd-security-logs=1&upd-a

There are 6 entries like the one above [nonce=427 increases in increments of 1 for each entry] made within 15 seconds for today so far.

Sure thing, DDCoating. When you install the plugin, our servers perform a periodical rescan of your site to see if there are new threats to be dealt with, and also “pings” the plugin often just to make sure it has the latest configuration. I’m guessing you removed the plugin’s files without going through an uninstall process, so our servers don’t actually know you are no longer using the 6Scan plugin. Because many of our sites will temporarily go down for a while (e.g. for maintenance), we will continue to try accessing the site for quite a while before we give up.

You can easily stop this by logging in to your 6Scan Site Manager (https://6scan.com/login) and removing the site you no longer want to be accessed; however, in your case, I do recommend you just give us the information at [email protected] and we’ll be happy to help you out.

I will also re-request the information from my previous message – it would be tremendously helpful if you could provide us more information on how the plugin affected your site, so we can be sure to provide the best experience for our users in the future.

Thanks.

I couldn’t uninstall the plugin via the dashboard. I had to remove the plugin via an ftp program because as I mentioned once it was activated it created a 500 internal server error. Every page was blank until the plugin was removed and I removed the added codes from the httaccess file. I never created an account. Blank page. Blank site. Verified our server working properly. Came here and posted my problem looking for support.

No thanks on sending info via email and taking this private. Every support thread I read ended once the support went to the email. I prefer to keep the info public. Maybe save someone else some time if they encounter the same results.

I’ve been done with the plugin for a couple weeks anyway. No big deal. I came back for info regarding the errors. It looks like I will simply deny the IP addresses as they appear or until you quit looking for the absent files.

I’m marking this topic as resolved.

And out of the blue, 1 month AFTER removing the plugin, we receive an email from [email protected]. zeratul.6scan.com 198.7.62.83
……………………
Dear Webmaster,

6Scan’s security scanner has detected the following new security vulnerabilities on your site:

Description
WordPress Readme file discloses information about your WordPress version

Severity LOW

If not fixed, these vulnerabilities could open you up to attack from hackers and malicious bots. Click below to go to the 6Scan Dashboard, where you can get free fix instructions or sign up for one of our automated fix plans.

Go To Dashboard

Safe browsing!
The 6Scan Team

You are receiving this email because your site, is protected with 6Scan’s website security plugin. To stop receiving new vulnerability notifications, click here or visit your dashboard. Contact us at [email protected] if you have any questions.
Six Scan Ltd., 2964 Columbia St. Suite # 38088, Torrance, CA 90503.
……………………

Well guys, NO, our site is NOT SUPPOSE to be protected by 6scan any longer. We never created an account, obviously you harvest the email address, (we sure didn’t submit it), we deleted the plguin less than 30 minutes after it was installed, we continue to receive 404 log errors from your servers looking for files that are not on our server, and now we receive alerts about a vulnerability in our readme file?

And NO I’m not going to email you with any personal credentials so you can investigate further for the betterment of future users. There’s a trust factor that does not exist here. You take every complaint straight to email and out of the public’s eye. People have a right to see the headaches this plugin can cause.

So I’ll ask. Why is your plugin scanning pages from our site <- [I know, it will for “quite a while”] and generating email reports 30 days later and where did you get our email address? Once again we absolutely did not create an account. The request for personal info to create an account is why we decided NOT to keep the plugin active. Yet, you obviously have that very same info!