Overclock.net banner
Cancel

.htaccess rewrite for security

820 Views 15 Replies 4 Participants Last post by  A-E-I-Owned-You
A
I run a forum and am having trouble with shells being uploaded to the server (I'm on a shared server). My host is no help so I've been trying to come up with a solution on my own. I am trying to add conditions to my .htaccess file to redirect the URL whenever someone tries to access a shell on my server. Since the name of the php file changes just about every time, I can't figure out how to do it successfully.

I would like to redirect any URL containing the following:
".php?act=f&f=config.php&d=%2Fhome%2Fusername% 2Fpu blic_html&"
to my site's home page, so they won't be able to get my DB info (I plan to add lines for more commands after I get this one working as well).

I am completely new to .htaccess and have read several guides on all different methods, but I have been unable to get any of them to work, does anyone have any suggestions?

I am testing with a C99 shell that I removed the last time they hacked us. And no, I didn't try accessing the file directly from my browser, as my forum software already prevents that and that's not what I'm worried about.

A little more clarification:
The person uploads a shell on my server without my permission (my host isn't much help in preventing this), lets say the filename is shell.php. Then they run the shell from their browser http://mysite.com/shell.php which gives them several options to modify and view things that they shouldn't be. My main concern is protecting my database, whose information is stored in my config file. When they view the config file from the shell, the URL is something like this: http://mysite.com/shell.php?mode=edit&file=config.php&.....

I want .htaccess look for that string "config.php" in all URLs and redirect any URLs containing that string to another page

Also, I put the following into the .htaccess file which didnt work either:
<FilesMatch "(\\.inc|\\.sh|.*sql|config\\.php)$">
Order allow,deny
</FilesMatch>
See less See more
Reply
Save
Like
1 - 16 of 16 Posts
A
Bump.
Reply
Save
Like
error10
Don't allow uploading of PHP files into the publicly accessible portion of your web site.
Reply
Save
Like
O
if your host is not secure, move.
the server should not be allowing any php shell script to run, that means your host has no idea how to secure a shared server environment, I know, I do this for a living.
Reply
Save
Like
A
Sorry but these posts dont help me.
See less See more
Reply
Save
Like
O
What asking for can not be done in .htaccess, it could be done only at the server level through mod_security (apache module) or through php hardening.

The only thing you can do on your end, is to make sure they can not upload the file, but once its uploaded, there is nothing you can do from your end to stop it other than deleting it. This is why I said you should move, as you stated your host is not helping you.
Reply
Save
Like
error10
Quote:

Originally Posted by Heroin Rob View Post
Sorry but these posts dont help me.

Read what appears below, and then DO it.

Quote:

Originally Posted by error10 View Post
Don't allow uploading of PHP files into the publicly accessible portion of your web site.
Read what appears above, and then DO it.

If you have questions, then ask them.
See less See more
3
Reply
Save
Like
A
Man. I cant afford a new host and this one is paid through for a few months. So I have a host thats an idiot kid who cant do a single thing right, I cant move, and I cant stop it.

Pretty much what I had expected I guess.
Reply
Save
Like
error10
So wait a minute, the security problem where someone is uploading PHP files is not coming through YOUR web site, but someone ELSE's web site on the same server?!
Reply
Save
Like
A
Yes. There is little I can do other than try this.

It is obvious that my host is fail, and he really wasnt so much when I was first on the server, but shortly after one of my members paid for a few months in advance, he started to get crappy. He was probably always crappy though so ehh.

But yeah, could use some help with this.
Reply
Save
Like
error10
If the security is being compromised via some part of the server outside your control, then there really isn't much you can do.
Reply
Save
Like
A
Quote:

Originally Posted by error10 View Post
If the security is being compromised via some part of the server outside your control, then there really isn't much you can do.
Im just trying to do as much as I can with what I can. :/
See less See more
Reply
Save
Like
error10
If it were me, I would cut my losses and move immediately.
Reply
Save
Like
A
There has to be a way. Its simple, I just cant find it. Just because you are unsure or have never done it doesnt mean it's impossible. As I have said, this host is paid through. He sucks, but its what I've got. This idea SHOULD work and I am sure it will with the right replies and elbow grease.

Yes I CAN move hosts, but thats the easy way to do it(well harder for me) and I lack a vagina so that narrows it down a bit.
Reply
Save
Like
kyotejones
The only reason you can blame the hosting company is if the entire server was compromised. In this case that does not sound like the cause so you need to stop blaming the host and fix this yourself. Chances are the next hosting company you move to will tell you the same exact thing when this happens again. It is not their problem that you decided to create or upload a site that lets someone write files to it.

You should be doing what error10 said.

Quote:

Originally Posted by error10 View Post
Don't allow uploading of PHP files into the publicly accessible portion of your web site.
* Check permissions on your web folders and files. For the time being change anything that is group and world writable. The default permissions for folders should be 755 and for files 644. Then work from there.
* Check your logs to see what POSTS are being made to the website.
* Check your code for any scripts that let you upload files, and see if any of them correlate with where the shell files are being placed.
* Check your web reports and see what pages are being accessed the most. Most cases like this the "hackers" will write scripts that continue to access the compromised pages. To reload the shell files in case you remove them.

I am sure there are other things you can do. The .htaccess thing you were trying to do is a bad idea in my opinion. The reason is because it does not fix the problem.
See less See more
Reply
Save
Like
A
Quote:

Originally Posted by kyotejones View Post
The only reason you can blame the hosting company is if the entire server was compromised. In this case that does not sound like the cause so you need to stop blaming the host and fix this yourself. Chances are the next hosting company you move to will tell you the same exact thing when this happens again. It is not their problem that you decided to create or upload a site that lets someone write files to it.

You should be doing what error10 said.

* Check permissions on your web folders and files. For the time being change anything that is group and world writable. The default permissions for folders should be 755 and for files 644. Then work from there.
* Check your logs to see what POSTS are being made to the website.
* Check your code for any scripts that let you upload files, and see if any of them correlate with where the shell files are being placed.
* Check your web reports and see what pages are being accessed the most. Most cases like this the "hackers" will write scripts that continue to access the compromised pages. To reload the shell files in case you remove them.

I am sure there are other things you can do. The .htaccess thing you were trying to do is a bad idea in my opinion. The reason is because it does not fix the problem.
Fail. I appreciate the effort, but no. The server is shared so we can do little about who the host gives out space to. Thats where the issue lies. The entire server is compromised and they have more access than we do. hell they can undo most everything we do anyways, thats why we are trying this approach. We cant do much to stop them from getting access, but we can try to limit what they can do or try to trick them into thinking they cant do what they want.

We cant switch hosts, and all the perms are correctly set, so what error is saying doesnt work for me.
See less See more
Reply
Save
Like
1 - 16 of 16 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Overclock.net
A forum community dedicated to overclocking enthusiasts and testing the limits of computing. Come join the discussion about computing, builds, collections, displays, models, styles, scales, specifications, reviews, accessories, classifieds, and more!
Full Forum Listing
Explore Our Forums
Hardware News Intel CPUs PC Gaming NVIDIA Water Cooling
Top