IntegraMOD

Folders to be covered covered:

777 album_mod/upload
777 album_mod/upload/cache
777 album_mod/upload/med_cache
777 album_mod/upload/wm_cache

.htaccess location should be:
album_mod/upload/.htaccess

This will cover all attached folders too, example album_mod/upload/cache inherited the rules of the higher folder.

Add/Create this in a .htaccess file.

This will stop off site use of the folder and is the least you should have!
Access from your site/forums/portal will still function.
Please note:
This may not stop a .script/shell if it's already on the your site! where and how the shell is installed would decide this.

Code: Select all

# access only from inside site. order deny,allowdeny from allallow from localhost 127.0.0.1

Any of your overrides for php need to be carried over from the root level,
this will match your folder and sub folders to the root values.

Example]php_value register_globals off[/code]


This is the rest of the folders listed in the install as set to chmod 777.
You'll need to cover them too.

777 backup
777 cache
777 cgi-bin/tmp
777 files
777 files/thumbs
777 images/avatars
777 images/smiles
777 includes/cache_tpls
777 modules
777 modules/cache
777 modules/cache/explain
777 pafiledb/cache
777 pafiledb/cache/templates
777 pafiledb/cache/templates/XXXXXX
777 pafiledb/cache/templates/XXXXXX/admin
777 pafiledb/images/screenshots
777 pafiledb/uploads
777 profilcp/def
777 var_cache

You can test how you forum handles the folders before and after with wannabrowser, just use the path to any file in the folder your testing. [url=http]http://www.wannabrowser.com/index.php[/url]

I recommend testing your site now to make sure everything is still working and and we have not stopped any thing from functioning like cashe/uploads ect. If something does not function remove the rule from it's folder.

If you wish to be even more secure you can work with this too.

Code: Select all

# no reasion any code should be able to run in this folder!AddHandler cgi-.script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgiOptions -ExecCGI

You can add or remove file extensions as you need. A good example of a place to use this is your uploads folder. As it's storage of uploaded files only, code does not need to run from it!

**edit **
Note: This will stop a installed .script/shell from running as long as it covers the folders it's in and you match the file extension. Please use with care it can stop a lot of things from running.
** end edit **

I hope this brief tutorial is of help.

Hi CaNNon,

Thanks for this. This is just the thing I'm looking for!

I created a .htaccess and added your code below to it to the directories with 777:

Code: Select all

# no reasion any code should be able to run in this folder! AddHandler cgi-.script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI

Did a test, uploaded a file within IntegraMOD (like a member on my site would normally). Made sure the screenshot file I used was a .php file. It uploaded ok, however, if I tried to execute it by clicking on it, it shows up as "permission denied".

This has worked great.

I do have a question though. The other code]# access only from inside site. order deny,allow deny from all allow from localhost 127.0.0.1[/code]
Can I put that together with the file extension exclude into the same .htaccess file? Just put in straight after the previous line of code?

The thing is, I have TWO dedicated servers, one is the webserver the other is the SQL server. So I will I need add an extra line in there to 'allow' my SQL server access to those directories? Something like "allow from xxx.xxx.xxx.xxx" (where xxx.xxx.xxx.xxx is the IP address of my SQL server)?

Can I put the
[code]php_value register_globals off[php]
Into all the .htaccess files or only just into the .htaccess in the ROOT of my webserver?


Once again, a thousand "thank yous" for this. I was trying to find a way to restrict as after being hacked 4 times, you really need a solution.

Also, it's good you mention this as I found a whole lot of other dodgy looking .php files stored in the /modules and /files folders while uploading the .htaccess files.

Yea you can allow the other server, but for the folders that are 777 I don't think it will need access. They are mostly storage or cashe so test it, add it if needed.
Also the overrides are the same you can leave them out and test if you have a issue add just it (but they should still be covered where needed with your higher access rules).

If you use the local host rule the server will only answer to it's internal IP.
The folders that you use rules for file extensions, are the ones you allow up loads in too.

example:
so say in the cashe folder you don't need need anyone to have access so you use the local host rule, now in your uploads folder you don't want any files to run but you do want to be able to add files so here you use the rules to stop files from running.

Sorry i need a example of what the .htaccess should look like.

Do i put the .htaccess in the root or every 777 Folder

This is my guess

# access only from inside site.
order deny,allow
deny from all
allow from localhost 127.0.0.1
777 album_mod/upload
777 album_mod/upload/cache
777 album_mod/upload/med_cache
777 album_mod/upload/wm_cache
777 backup
777 cache
777 cgi-bin/tmp
777 files
777 files/thumbs
777 images/avatars
777 images/smiles
777 includes/cache_tpls
777 modules
777 modules/cache
777 modules/cache/explain
777 pafiledb/cache
777 pafiledb/cache/templates
777 pafiledb/cache/templates/XXXXXX
777 pafiledb/cache/templates/XXXXXX/admin
777 pafiledb/images/screenshots
777 pafiledb/uploads
777 profilcp/def
777 var_cache




Thanks

well my guess dont work now i get a 500 error


so i put
# access only from inside site.
order deny,allow
deny from all
allow from localhost 127.0.0.1

in all the folders
this works

but now the avatars, smiles, downloads etc.etc dont show or download

do i have to add each smile to the .htacsses to allow to be seen

I'm asking all this because my site was hacked a few weeks ago and it was being used to get peoples bank information.. So I need all the security I can get!!

Thanks

Hi ALFA_QUE_ALL,

I know what it feels like to have a site hacked! I've been hacked about 3-4 times!

Here's what I've done to finally fix the hacking problems:

[list type=decimal][*]In the ROOT of your webserver, create the .htaccess and put this line: php_flag register_globals off
[*]In the folders mention, create ANOTHER .htaccess and put this in the folders mentioned above (NOT in the ROOT): # no reason any code should be able to run in this folder!
AddHandler cgi-.script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI[/list]I think I've made a few other tweaks as well, but I'll have to dig it up.

This should however STOP ANY PHP .scripts from running on your site and from members uploding .php files to your site then executing them.

Do you have approval setup for member uploads so you can approve them first before they can be downloaded/seen? This has saved me too as I can go into the ACP, see what files they are and delete them if needed. But even if they do try to, it will error out saying "you are not authorised to". Test it with a sample .php file.

Hope that helps.

They are examples ALFA_QUE_ALL, you try the local host rule first an in any folders you have a issue you use the one binh.tang is showing.
Also the globals off over ride is a really good but check the settings first to see if your host has it on off.

Thanks guys!!!

Hi CaNNon,

I just noticed something from a hacker on my site yesterday.

He put a file with the extension .php3 instead and it works, bypassing your .htaccess rule "AddHandler cgi-.script .php .js .pl .py .jsp .asp .htm .shtml .sh .cgi"

I did a test and renamed my index.php to index.php3 and it still loads up the site.

Is there anything you can suggest in this case?

if you rename index.php to index.php3, it will not load the index of your site. It will still load some pages, like viewtopic and viewforum.

If you can load pages with the php3 extension, then you have a very strange php setup on your server.

was he successful? I assume he uploaded it as .php3 and intended to rename it .php so he could execute it, but your htaccess should protect you from that