DDCoating

And out of the blue, 1 month AFTER removing the plugin, we receive an email from [email protected]. zeratul.6scan.com 198.7.62.83
……………………
Dear Webmaster,

6Scan’s security scanner has detected the following new security vulnerabilities on your site:

Description
WordPress Readme file discloses information about your WordPress version

Severity LOW

If not fixed, these vulnerabilities could open you up to attack from hackers and malicious bots. Click below to go to the 6Scan Dashboard, where you can get free fix instructions or sign up for one of our automated fix plans.

Go To Dashboard

Safe browsing!
The 6Scan Team

You are receiving this email because your site, is protected with 6Scan’s website security plugin. To stop receiving new vulnerability notifications, click here or visit your dashboard. Contact us at [email protected] if you have any questions.
Six Scan Ltd., 2964 Columbia St. Suite # 38088, Torrance, CA 90503.
……………………

Well guys, NO, our site is NOT SUPPOSE to be protected by 6scan any longer. We never created an account, obviously you harvest the email address, (we sure didn’t submit it), we deleted the plguin less than 30 minutes after it was installed, we continue to receive 404 log errors from your servers looking for files that are not on our server, and now we receive alerts about a vulnerability in our readme file?

And NO I’m not going to email you with any personal credentials so you can investigate further for the betterment of future users. There’s a trust factor that does not exist here. You take every complaint straight to email and out of the public’s eye. People have a right to see the headaches this plugin can cause.

So I’ll ask. Why is your plugin scanning pages from our site <- [I know, it will for “quite a while”] and generating email reports 30 days later and where did you get our email address? Once again we absolutely did not create an account. The request for personal info to create an account is why we decided NOT to keep the plugin active. Yet, you obviously have that very same info!

I couldn’t uninstall the plugin via the dashboard. I had to remove the plugin via an ftp program because as I mentioned once it was activated it created a 500 internal server error. Every page was blank until the plugin was removed and I removed the added codes from the httaccess file. I never created an account. Blank page. Blank site. Verified our server working properly. Came here and posted my problem looking for support.

No thanks on sending info via email and taking this private. Every support thread I read ended once the support went to the email. I prefer to keep the info public. Maybe save someone else some time if they encounter the same results.

I’ve been done with the plugin for a couple weeks anyway. No big deal. I came back for info regarding the errors. It looks like I will simply deny the IP addresses as they appear or until you quit looking for the absent files.

I’m marking this topic as resolved.

I’ll pass on sending you more info since I was able to remove the files and recover the site on my own.

But perhaps you can answer why today, two weeks after removing the plugin, I’m still generating 404 errors in my logs to pages that were related to the plugin and the IP generating the errors traces back to 6scan.com? What is it you’re looking for and why are you still trying to connect to our site?

Host: 198.7.62.83 – zeratul.6scan.com
/wp-content/plugins/6scan-protection/modules/signatures/notice.php?nonce=427&upd-security-logs=1&upd-a

There are 6 entries like the one above [nonce=427 increases in increments of 1 for each entry] made within 15 seconds for today so far.

The problem! You guys jacked up the .htaccess file with all this bullshit! Site popped right back online once this garbage was removed!

# Created by 6Scan plugin

#Those are used by 6Scan Gateway

SetEnv SIXSCAN_HTACCESS_VERSION 1

SetEnv SIXSCAN_WP_BASEDIR /

#don’t show directory listing and apache information

ServerSignature Off

<IfModule mod_rewrite.c>

RewriteEngine On

#avoid direct access to the 6scan-gate.php file

RewriteCond %{ENV:REDIRECT_sixscaninternal} !^accessgranted$

RewriteCond %{ENV:sixscaninternal} !^accessgranted$

RewriteCond %{REQUEST_URI} 6scan-gate\.php$

RewriteRule ^(.*)$ – [F]

#This is not really a must, but speeds things up a bit

RewriteRule ^6scan-gate\.php$ – [L]

#Patrol’s IPs needs access, to check whether rules update is required
RewriteCond %{REMOTE_ADDR} ^108\.59\.1\.37$ [OR]
RewriteCond %{REMOTE_ADDR} ^108\.59\.5\.197$ [OR]
RewriteCond %{REMOTE_ADDR} ^108\.59\.2\.209$ [OR]
RewriteCond %{REMOTE_ADDR} ^95\.211\.58\.114$ [OR]
RewriteCond %{REMOTE_ADDR} ^95\.211\.70\.82$ [OR]
RewriteCond %{REMOTE_ADDR} ^107\.22\.183\.61$ [OR]
RewriteCond %{REMOTE_ADDR} ^78\.47\.11\.131$ [OR]
RewriteCond %{REMOTE_ADDR} ^199\.115\.112\.90$ [OR]
RewriteCond %{REMOTE_ADDR} ^192\.96\.201\.13$
RewriteRule ^(.*)$ – [S=6]

#Broad-spectrum protection: User agent/referrer injections. XSS,RFI and SQLI prevention

RewriteCond %{REQUEST_METHOD} ^(OPTIONS|PUT|DELETE|TRACE|CONNECT|PATCH|TRACK|DEBUG) [NC]
RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanstrangerequest:1] –

RewriteCond %{QUERY_STRING} (http(s)?(:|%3A)(/|%2F)(/|%2F)|ftp(:|%3A)(/|%2F)(/|%2F)|zlib(:|%3A)|bzip2(:|%3A)) [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafrfi:1] –

RewriteCond %{REQUEST_METHOD} ^(POST) [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^(WordPress\/[\d.]+;\s+)?https?://(www.)?domain\.com [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafcsrf:1] –

RewriteCond %{QUERY_STRING} (<|%3c).*(script|iframe|src).*(>|%3e) [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafxss:1] –

RewriteCond %{QUERY_STRING} union.*select [NC,OR]

RewriteCond %{QUERY_STRING} (concat|delete|right|ascii|left|mid|version|substring|extractvalue|benchmark|load_file).*\(.*\) [NC,OR]

RewriteCond %{QUERY_STRING} (into.*outfile) [NC,OR]

RewriteCond %{QUERY_STRING} (having.*–) [NC]

RewriteRule .* – [E=sixscansecuritylog:1,E=sixscanwafsqli:1] –

RewriteCond %{REQUEST_URI} ^/just/a/random/dir/to/avoid/htaccess/mixups\.php
RewriteRule .* /6scan-gate.php [E=sixscaninternal:accessgranted,L]
</IfModule>

# End of 6Scan plugin

Also manually removed 6scan-gate.php and 6scan-signature.php from my root folder! What a crock of crap.

Has your code been injected anywhere else that isn’t visible?