homepage Welcome to WebmasterWorld Guest from 54.205.254.108
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Website with Htaccess/htpasswd allowing blank login
blank login issue with htaccess
dklbwf




msg:4299775
 12:13 pm on Apr 18, 2011 (gmt 0)

Hello,

I have a website that has been giving me this problem for the last year and i cant seem to figure it out. I have directories which contain htaccess which point to usernames and passwords, when folks get the popup login box they can simply press enter and it will allow them in without using a username but if they try logging in with incorrect values it will function correctly and give them error. The only fix i have been able to come up with is using this htaccess generator which i import all the users into and then simply copy what it gives me into the htpasswd file and blank login is not allowed but some reason hours later the blank login problem is back. Am i being hacked?

Thanks N Advance!

 

jdMorgan




msg:4303786
 8:04 pm on Apr 25, 2011 (gmt 0)

"(Several) hours later" sounds like a hack. Contact your host, and look for unknown scripts buried in both "unknown-to-you" and familiar directories. Compare filesizes and creation dates of all of your scripts to the original backups that you've kept separately. If the filesizes and dates don't match, that script may have been modified.

The first step is to stop the intrusions -- close the hole that allowed malicious users to get in to your server. Change all "webmaster and admin access" passwords, update all commercial scripts to the latest patch level. The second step is to replace the hacked code. Doing this in reverse order is not useful.

Jim

dklbwf




msg:4303903
 12:16 am on Apr 26, 2011 (gmt 0)

thanks so much for response Jim. My biggest problem is i was bought onto this website a year after it was developed and there is no telling what the orginal web guy has going on. I know its a hack for sure becuase how things happen, i can lock the reload the htpasswd file with new encryptions and everything work fine and then maybe days later the site is back open. its like maybe someone is logging in every now and then and once they see i have reloaded the htpasswd they do whatever it is they do, im just so lost on where to look being that i really didnt develop the backend at all. was hired as frontend designer, have explained to the client the only real way to get this taken care of is to start from scratch and letme redo everything, front and back.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved