Welcome to WebMasterWorld!
asides good security practices
two things to do RIGHT NOW

1)move your config above www for ex in the cgi
should be something like:
include_once("/pub/users/MySiteNAme/cgi/NewDir/config.php");

2)Place an emergency call to your ISP and require a DB password change.

<edit> Unless you have DB control and can change it on the fly</edit>
good luck
keep us posted

Thanks for the welcome as well as for the reply, I can't move my config file outside the public folder, if I do that, it will stop the script to work properly!

I am doing few tweaks..lets see..what I come up with..also if any PHP guru have any advice..then please share..

This not the way it works.
Open your editor, open all files, do a search for files using the config and rewrite the new path.

Easy!

If you want to post an example of how each file calls for the config and also post the new path we will write the new include for you.

I try to add this code on the top of my config file to disable direct access to config file:

$allowed = "www.domain.com,www.domain2.com";
$allow = explode(",", $allowed);
$server = $_SERVER['SERVER_NAME'];
if(!array_search($server, $allow))
{
//compile email
$to = "user@domain.com";
$subject = "Security Risk!";
$message = "<b>Server Sig:</b> ".$_SERVER['SERVER_SIGNATURE'].", <b>Server:</b> ".$SERVER['SERVER_NAME'].", <b>Admin:</b> ".$_SERVER['SERVER_ADMIN']."";
mail($to, $subject, $message);
die("Stop Hacking!");
}
?>

But it's not working..it's also blocking my own site too..

Edit: that was stupid - won't work.

A remote include is first handled by the server it resides on, not the server that requests it, so, your file is being parsed by your server as php and the results are included on the remote site.

Option 1
Follow steps 1 & 3 below, except move the file below the root, and change the include path to a full path from the root.

The second way to handle this is to:
1. Download the entire site.
2. Make sure any file that contains the file you would like to protect is in the same directory as the file - Usually easiest to duplicate the protected file if there are many diretories that use it.
3. Change the include path to a directory specific path. EG include "file.php";
4. Add this to your .htaccess (Use a bulk find & replace)

RewriteEngine ON
RewriteCond %{THE_REQUEST} thefile\.php [NC]
RewriteRule thefile\.php$ - [F]

Justin

Edited: ~4 times - having trouble with expressing rational thought today will get it sooner or later.

[edited by: jd01 at 9:23 pm (utc) on Sep. 3, 2005]

I think that you are only looking for what to do in negative situation

but what would you do if $_SERVER and $allow are what they are supposed to be?

OK one clean one now.

The only way you can do what you are attempting is if you have HostnameLookups On in your httpd.conf file and can use 'REMOTE_HOST' or you can try gethostbyaddr($_SERVER['REMOTE_ADDR']);

Those are really the only options for denying remote requests in a php file, and will negatively impact server performance. Due to the need of executing a reverse dns look-up to find the information, and the performance hit, many hosts are leaving this option off.

I think the mod_rewrite or below the root solutions are the best, because the impact to your performance will be negligable.

Justin

Is there anyway to disable PHP remote include in Apache? or is there any short way? like including few lines on the top of the file to disable access from other domains? what about:

<?php
if($_SERVER['SERVER_NAME']=="yourdomain.com" ¦¦ $_SERVER['SERVER_NAME']=="www.yourdomain.com") {
   // connection here
} else {
   // error message
}
?>

The problem is a php file on your server will always have your server as the server name and host name - it is processed locally, before it is sent to the remote location...

The short answer is no, there is no easy way.

I know a while ago I spent a couple of days researching how to get a local file to be remotely processed, and the only way is to force your server to not parse it, so when it is included on the remote server it is parsed by that server... The only real ways to do this are to turn your php parsing off - not practical; use a custom extention and have the remote server handle that as php, but not the local one - not possible in your case.

The best advice I can give for overall performance is in my previous posts above - using a relative include path and the mod_rewrite, will make it so not only can the file not be included remotely, it will not be able to be opened in a browser.

The other way is to change the extention, but then someone could simply open the file, copy and paste it and use it on their local server, so it defeats the purpose.

Justin

Thanks for your response Justin, I am doing lil research on it..I come across [hardened-php.net...]

what you think about it?

I think most of what they present can be done by writing secure scripts, and it will be very tough to get a host to install it for you... It also does not help your situation.

Turning off fopen wrappers will keep you from being able to open remote files on your site, but will not prevent someone else from opening your files on their site using an include, require, fopen, or any other number of ways, including an .htaccess proxy request.

There are a *very* limited number of ways to block someone from opening a file on your site, while allowing your server to access and serve the file. The ones I listed above seem to be the most reasonable for your situation.

Sorry there is no easy answer for this. I would very seriously think about a DMCA complaint to the host if you can prove that it is copywritten and yours - If you can they will take the site down - they have to.

Wish I could be more help.

Justin

Thanks for your replies Justin! it helped me alot in understanding! :) I forwared all this to my host, and waiting for their response!