.htaccess Security Solution? (777 directories hacked)

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess Security Solution? (777 directories hacked)

Will this protect these directories?

bboyce

4:23 am on Jan 20, 2006 (gmt 0)

I have been hacked twice now by somebody (or some script) that uploads an .htaccess file and a randomly named PHP script to any directories CHMODed 777 on my site. The .htaccess redirects any 404's to the PHP script that is uploaded and the PHP script redirects the user to a third party website. This has gotten me banned from Google because somebody the search engines grab a bunch of URLs pointing to the directory with random porn and warez phrases after the directory URL.

I can't CHMOD the affected directories (image directories) because of the nature of our website (images are uploaded on a constant basis), but I started thinking:

What if I upload an .htaccess file that is CHMOD'd 644 and prevents PHP scripts from running in that directory?

Would this work?

What would I need to put in the .htaccess to prevent anything with a .php extension from running?

Any help much appreciated... thanks...

- B

jdMorgan

4:58 pm on Jan 20, 2006 (gmt 0)


RemoveHandler .php

might work.

Whether such a modified .htaccess file will survive depends on how you allow uploads to your server. Obviously, no filtering is currently being done, which is allowing any type of file to be uploaded.

It sounds like your server configuration and scripts need a thorough review by a server security expert. If this is a commercially-hosted site, you might start by asking your hsoting company for some assistance. You current setup is not only a threat to itself, but represents a threat to the Web as a whole; Any kind of script could apparently be uploaded, causing your server to attack other servers on the Web...

Jim

StupidScript

8:09 pm on Jan 26, 2006 (gmt 0)

Why do you need a world-executable directory like that in the first place? I understand that images are being uploaded to one, but why so wide open? Set the directory to be owned by the 'user' doing the uploading (nobody, apache, whatever) and then 600 the whole thing.

If someone has been able to set up their own custom .htaccess file in your directory, that's a pretty big problem that won't be solved by setting more restrictive permissions on a file within that directory, even if it is .htaccess.

bboyce

8:15 pm on Jan 26, 2006 (gmt 0)

The images are uploaded by a PHP script that is in an auth protected area -- it is run as "guest" or whatever the default user is when you are running a PHP script through a web browser -- is there any way to change the user of the script?

extras

8:23 pm on Jan 26, 2006 (gmt 0)

If you are using shared hosting provider, and they are using mod_php,
I don't think you can make it secure easily.
(On some hosts, you can use Suid (binary) CGI program to write the data with the user's id.)
Basically, you shouldn't use any script that writes data on such hosts.
(Scripts without need for writing data can be used safely.)

If it's a shared hosting, but with SuExec, you don't need and you shouldn't use unsafe permission like 777/666.

If it's a dedicated/VPS server, it means the server is compromized.
You need full review of the security situation.