My .htaccess is changed over and over and over - .htaccess

I hope you can help me, I have a website and constantly the .htaccess file is hacked to redirect to another page, every time I delete that file, when I check the file after 5 minutes, again the file is written to redirect to a page with malware, I changed passwords of sftp, the page itself and the database several times from different computers with windows and linux but this file is constantly changed in the main page and creating hacked .htaccess in the subdirectories, Why does this keep happening? HELP
The web page is hosted in Dreamhost.

If the permissions on your .htaccess file are set so that only you can modify it, then you will find one of the following:
An entry in your FTP access log showing .htaccess being uploaded
An entry in the control panel access log showing the .htaccess being edited
An entry in your HTTP access log at the time that the modification happens (often a POST, but not necessarily). This is often to a generalised backdoor process of some sort.
A crontab entry that makes this modification
Additionally, you will find that your site was hacked somehow - e.g. insecure version of JCE editor, poor passwords, nonumber extensions, flash uploader, failure to update for known security problems, or similar. It's all in the logs. You will also find that there are a stack of little PHP files or an extra admin account which will let the attacker back once you sort out the obvious part of the problem.

Related

IIS denying access to simple HTML file in virtual directory

I'm trying to display simple HTML files in a folder on my web site. No ASP.NET, no application, just a virtual directory. I'm getting "Access denied" in the browser when I try to open a web page.
This is through a hosting provider; I have access through FTP and IIS Manager only.
Authorization Rules show Allow - All Users - Inherited.
I'm far from an expert on IIS, and most search results either suggest checking folder permissions in the file system (which I have no direct access to) or are relevant to applications.
How can I diagnose this?
More information:
Through trial and error, I found out the cause, and worked around it with URL Rewrite. I'd still like to know why it's happening (the root cause) and how to change IIS's behavior.
I'm moving my site from Linux hosting to Windows hosting. Some of the old URLs are of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The ones I'm moving are HTML files, not PHP files, but I tried to mirror the folder structure.
The problem is in the index.php folder name. No matter what I do, even if I enable directory browsing, IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.
I've scanned through many of the IIS settings and haven't found any mention of forbidding a .php extension. What's going on?
You need to add permission for IIS users.Try adding permission to the folder by adding user
IIS_IUSRS and give required permission .
1.Right click on folder, go to properties
2.Go to security tab
3.Click on Edit, if you don't see IIS_IUSRS in the user list who have permission
4.Click on Add , In the box , add IIS_IUSRS and click on check names, it will
get the qualified name .
5.Click OK and apply
Hopefully it should work then
Through trial and error, I found out the cause, and worked around it with URL Rewrite.
For URLs of the form:
http://www.MYSITE/myblog/index.php/2013/04/29/SOMEFILE.html
The problem is in the index.php folder name. IIS won't let me access any files in a folder with that name. If I rename the folder (or even the "extension" part), it all works.
This is reminiscent of Joomla virtual (SEO) URLs. I'm assuming that you don't really have static files at all, but the CMS program running your site parses this information after the "index.php" as parameters for a database query to create the html page on the fly. In this case, the only file that's really being served by the web server is index.php, and the program includes other php files depending on the parameters entered. You're on the right track though, with creating a small file on the destination server and try to load it, but this means the index.php directory structure is moot.

disabling view of folder files from website

If a person goes to my site and type a URL like www.mysite.com/admin/includes, the webpage displays the entire directory! How can I stop this? Most of the files are in PHP though, so even if anyone downloads those files, they're mostly blank, but someone just hacked my website and I'm wondering if knowing the directory structure helped them.
I need to do disable the viewing of all directory structures, while allowing the display of images like www.mysite.com/images/image1.jpg
In your .htaccess file, insert the following line:
Options -Indexes
This will prevent the viewing of directory indexes, whilst allowing actual files to pass through.
Note that you must have AllowOverride Options set in your config (this is already done in most hosting environments).

.htaccess denied vs out of wwwroot

I need to upload to my server a high sensitive data file to be used by PHP scripts. Please, tell me what's the most secure way and why:
Putting it in a folder not under www root
Putting it under www root but denying access with .htaccess rule
Thank you very much
If you have ftp/sftp/ssh access to this server, there's no reason not to put it outside of the www document root. If you have a hosting service that only grants you access to the www document root, then you'll have to go with the second solution, but the first is much more secure.
Htaccess can be bypassed if there is a vulnerable script on your site. There are tools that, if placed correctly, files inside the document root and be uploaded by a remote attacker or even replaced. For example, there are php "remote file managers" that allows a remote attacker to change permissions, edit, or replace existing files, including your htaccess file. If you're running a site like Wordpress, or some other CMS, that aren't exactly super secure by themselves, that have a lot of third party plugins, those plugins could be vulnerable to attacks, and if you happen to be using one, your htaccess file's access restrictions could be bypassed.
When the sensitive information is outside of the document root, an attacker who has access to the document root won't be able to access these files and vulnerabilities in your scripts are a lot less likely to affect access to these files. There most likely needs to be a system level exploit to be able to gain access to files outside of the docuement root.

IIS7 - How to password protect a single folder using a Web.config file?

I have a folder that contains log files. They're not super critical, but I don't want total strangers looking through them. I'd like to put a password on that one folder. The folder and its contents are served straight up from IIS, so I'm not looking for a coding solution.
With Apache I'd use a .htaccess file.
With IIS it's possible to use multiple Web.config files at various levels to control this kind of thing.
So, what goes in the Web.config file that allows me to require a password when accessing this folder?
I'm happy for the password to pop up in a dialog like old-school websites used to do (not sure what this is called -- I think it is digest authentication) and so avoid any loginUrl redirection stuff
I'm happy to put the password in the Web.config file in plain text if it's easier
The application is internet facing and running on shared hosting, so I don't have much control over the box beyond what I can configure in Web.config.
You can achieve this using the <location path="..."/> element of web.config file.
Check this link for step-by-step instructions..

Classic ASP "Down for Maintenance" page

I'm making some changes to a legacy classic ASP application. I've made the changes locally, and now I want to copy the changed files to the server. At the same time, I need to download the Access database, add some fields to some tables, and upload it again. For this reason, I need to be able to stop visitors from modifying the database while this is happening.
My main question is, what is the best way to setup a quick "Down for Maintenance" page that will be shown immediately and no matter which page the visitor requests. The application is already established, so I'd rather an answer that didn't require me to rework the application's architecture.
My second question (maybe this should be a separate question):
Is there a better way to add fields to a db table than to copy it down, modify, and stick it up again? Please forgive if that's a dumb question - I'm new to ASP - new to Windows too.
I only have FTP access to the remote server.
Thanks.
two ways:
1
if you do a server-side include in every asp page you can do a response.redirect in that include to /upgrading.html
2
in global.asa you can do a response.redirect in the session on start event. THis is probably the best way. Will only work for .asp pages, not if the client comes to a .html page.
Do you have any control panel access to the site at all?
When I used to run a number of ASP Classic sites I often turned them off for the five minutes required to do what I needed.
Rude to do to your visitors I know.
As others have said you could redirect to a page, but that won't stop people visiting static content in html pages, but then that probably won't matter, at least it stops them making changes to the mdb whilst you download it.
It's a pity that ASP.net's app_offline.htm doesn't work for ASP classic.
Another option I used to use was to create a default.htm file that had the offline message, and the way IIS was setup default.htm overrode default.asp, so simply uploading default.htm changed the homepage. This of course doesn't stop anyone using any of the other .asp pages.
So no real answer! Sorry.
If you have just FTP access to the server (and no control over the IIS) just insert a response.redirect to the "down for maintenace" page in top of all the asp pages, and remove it when the update is completed.
The changes to the database can be performed with the ALTER TABLE statement.
With regards to the "Down Maintanance" page issue you can and taking mapache's idea a step further if there is an included file (for a header) in each of the pages you can put the Response.Redirect in that one file and upload that in place. This will avoid making changes to all pages.
Another option is to upload a temp html file which will be found first by IIS. In IIS you can set which page name.ext are looked for in a domain/folder. For example when you browse to www.example.com you don't specify the page you are looking for so it could load index.html or index.htm for example depending on setup. It will depend on your hosts configuration setup, but a bit of trial and error I'm sure you can find out which one they use. Common ones for IIS are default.htm, default.html, index.html and index.htm. You can then put it in each of the folders in the website (not ideal I know) and then carry out your maintenance.
When updating databases you can run a migration script, written in sql, to update the schema and data of the db. As you only have FTP access this will require some sort of page you can paste the sql into and run. This however opens security issues so downloading the db, making the changes and then uploading again is probably easier. In addition to doing it this way you can also save the file and you'll have a backup :-)
Hope this helps.
Better than an include file, just use the Global.asa.
In the Global.asa's Application_onStart, add
Application("Offline")= True
at the top of all of your ASP files, add
If VarType(Application("Offline")) = vbBoolean Then If Application("Offline") Then Response.Redirect "App_Offline.htm"
(The double-if gets around the lack of VBScript's short-circuit operators, and therefore any data type errors.)
You could even set the Global.asa code to
Set fso= Server.CreateObject("Scripting.FileSystemObject")
Application("Offline")= fso.FileExists(Server.MapPath("App_Offline.htm"))
Set fso= Nothing
Which would enable the offline page if it exists, like ASP.NET. However, the application start code is only reparsed when the server is reset (using iisreset), or when the Global.asa file is modified, merely adding the App_Offline.htm will not be enough.
Add below code in web.config
<?xml version="1.0"?>
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
</configuration>
And place app_offline under root folder. This will work.

Resources