On Sat, 2008-10-11 at 09:42 -0400, David Krings wrote: > [EMAIL PROTECTED] wrote: > > I checked my test system also and when I do a directory the /xml > > folder, it shows me the content of the folder which is yet another > > outcome unexpected. > > > > There is a setting in the Apache config that prevents the listing of > directories. In a production system that should be always turned off. > Also, IIRC you can specify the name of the access file in the config as well, > so it may not always be .htaccess, but I cannot think of any plausible reason > to change that. But that may be worthwhile to check out. > > Oh, and at your earliest convenience change the hosting company. If they > cannot tell you how such a takeover happened then I wonder what they charge > you money for. Anyone with a PC can do that type of hosting...
On one hand i can understand how the host wouldn't know exactly how the files got there - but the file ownership and logs should give much more information away and they should know if it was a shell attack, a remote file inclusion, or any number of common attacks. from your side though - are you using a common code base or module that might be vulnerable, or maybe an old version of a now patched software setup? if you are, what i use then might be something to look for in a web host - we use an intrusion detection system that combines mod_security with some well written rules along with some other software that monitors everything. With that in place although I'm sure there is still a way for someone to find a way into your system, it's incredibly less likely, and the automated attackers would most certainly not work. to answer your question about the .htaccess file - there is also a possibility that the host does not have all of the AllowOverride directive active for your hosting account. in that case some items would work and others wouldn't. next up the content of your .htaccess it's probably not what you wanted to do and i'm nearly positive that the deny/allow isn't working > -Indexes - turns off directory listings you may also need to change this to another name - thus triggering the default not to be shown > DirectoryIndex index.php - that will make the only file index.php that will show up when you did http://host/xml/ (correct me if i'm thinking the other directive it's early) -------------------------------------- > Options -Indexes > > order deny,allow > > <files "*.*"> > Deny from All > </files> > > <files "*.*"> > Allow from 127.0.0.1 localhost > </files> this is a working config for something i have running > Options -Indexes > > > > AuthUserFile /pathto/.htpasswd" > AuthType Basic > > AuthName "Staff Only" > > Satisfy Any > > > > <Limit GET POST> > > order deny,allow > > deny from all > > allow from some.ip.add.ress > > require valid-user > > </Limit> -- Dan Horning American Digital Services - Where you are only limited by imagination. direct 1-866-493-4218 . main 1-800-863-3854 . fax 1-888-474-6133 [EMAIL PROTECTED] http://www.americandigitalservices.com _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
