[ale] anybody got a stock .htaccess for read-only apache website

Alex Carver agcarver+ale at acarver.net
Fri Aug 11 15:12:10 EDT 2017 

If you only have static pages that are not PHP and no plugins enabled
then my guess would be a side-channel attack where the attackers
compromised an adjacent server and were able to break into the file
storage outside of the one they attacked.


On 2017-08-11 12:07, Neal Rhodes wrote:
> Thank you for the reply, but it totally baffles me.   This is totally different 
> from prior topic I raised on a different server.
> 
> Someone is scanning all the godaddy hosted servers, and is embedding .php files 
> in them, and updating the .htaccess file, in an apparent attempt to hijack 
> innocent browser users accessing the sites supported there, which for me is 
> essentially the Lilburn Oktoberfest, the Lloyd Shaw Dance foundation, and Maine 
> Geneology.
> 
> I have found and removed all the .php files they created.  Apparently they 
> attempted to rewrite rules to re-direct access to html file into their 
> duplicated .php files.
> 
> I have removed the glop they added to the .htaccess, but don't know if there are 
> other restrictive measures I should be taking in there to reduce the potential 
> in the future.
> 
> I do not see how this relates to rsync and ssh.
> 
> 
> 
> On Fri, 2017-08-11 at 14:32 -0400, DJ-Pfulio wrote:
>> I would assume a php addon has a security problem or some custom php code has
>> some flaw.
>>
>> Is there a reason rsync+ssh isn't used - or even git?  git cryptographically
>> validates.  "Because we never needed to before" **is** a value answer.  ;)
>>
>>
>> On 08/11/2017 02:12 PM, Neal Rhodes wrote:
>> > Apparently my Godaddy linux apache website has been hacked by someone who
>> > planted some bogus .php files, and overwrote my primary .htaccess.
>> > 
>> > Godaddy discovered it.
>> > 
>> > I removed the offending .php files.
>> > 
>> > I removed the clauses in the primary .htaccess which appeared to feed those
>> > bogus .php files.
>> > 
>> > I have asked Godaddy to provide me with their recommended stock, restrictive
>> > .htaccess file for read-only websites.    All of our static html is updated by
>> > me via ssh.    I do not know how someone managed to alter my website.   I would
>> > guess they used some tool Godaddy provides which isn't configured properly to
>> > restrict, or which has a default login.
>> > 
>> > Thus far they are running around in circles.
>> > 
>> > Does anyone have a best practices .htaccess file to start with?  I'm guessing it
>> > would be something starting with...
>> > 
>> >     IndexIgnore .htpasswd .htaccess */.??* *~ *# */HEADER* */README* */_vti*
>> > 
>> >     <Limit POST PUT DELETE>
>> >     require valid-user
>> >     </Limit>
>> > 
>> >     AuthName webuser
>> >     AuthUserFile /var/www/cgi-bin/.htpasswd
>> > 
>> >     AuthType Basic
>> >  
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org <mailto:Ale at ale.org>
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list