The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

.htaccess help

Discussion in 'General Discussion' started by Shane_from_UK, Jul 10, 2010.

  1. Shane_from_UK

    Shane_from_UK Active Member

    Sep 14, 2008
    Likes Received:
    Trophy Points:

    My sites getting hacked/injected many times. I have already done tweaks on server.

    Server is SuExec
    Directories permission 755 and files 644
    All scripts are updated with the latest version.
    cPanel main FTP account disabled( Now no single FTP account is present)
    changed all cPanel password to 100% secure passwords as per cPanel password bar.
    Mod security enabled as well as php codes are already disabled in php.ini

    But still site get INJECTED not sure what happen only following line found out in /var/log/message

    Jul 4 05:10:39 **** suhosin[6570]: ALERT - Include filename ('http://*****.com/ddos.txt??') is an URL that is not allowed (attacker '******', file '/home/***/public_html/check/d167_handlers/cccode_handler.php(298) : eval()'d code(5) : eval()'d code', line 1)

    I like to set some .htaccess rules which deny edit from browser so that sites won't get injected. The admin also not able to edit without removing code from .htaccess files. I am very glade if any body having such code.

    For example:

    If I add code in .htaccess file present in public_html directory. No one can edit,injected,modify files without removal of code.

    Waiting for reply.
  2. vanessa

    vanessa Well-Known Member

    Sep 26, 2006
    Likes Received:
    Trophy Points:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    How do you know the main FTP account is disabled... have you tried logging into it to make sure? Also, check the cpanel access and login logs to see if someone is maybe doing this from file manager.

    One thing you may also want to take a look at is the domlogs to see if there's anything out of the ordinary, such as a c99 shell or script being accessed outside of Wordpress. Many times I've see people take the same measures you have, only to find out that during the first hack, a shell program was uploaded to their account and used to inject files.
  3. Miraenda

    Miraenda Well-Known Member

    Jul 28, 2004
    Likes Received:
    Trophy Points:
    Coralville, Iowa USA
    There aren't .htaccess rules to deny editing from a browser as they aren't editing from a browser. If they are uploading files into the machine or account via a script, then they are injecting code using a loophole in that script. Your php.ini file, does it have register_global = Off in it? If not and it has "register_global = On", then having register_global to on is a major security risk, since many user scripts might be getting injected due to that very setting.

    Otherwise, you should definitely find where the ddos.txt file is located, who owns it, then check the domlogs for that account to see what is happening. If you check the timestamp on the file, that should give you a good time to check in the domlogs at /usr/local/apache/logs/domlogs/ (where is the domain the ddos.txt was added into or running from).

    Of note, you might also check for ddos.txt in the domlogs or even check for any .txt entries in domlogs for that account. If you show the processes running for that account with these ddos.txt entries, you can try to get environmental information on them to find the script that was injected:

    ps aux|grep username
    cat /proc/pid#/environ
    lsof -p pid#
    Here, you would ps aux the username for the account running the processes to obtain a list of PID numbers. Then you would cat the environmental information of that PID# (replace pid# with the actual PID number), then run an lsof of the PID number's process to see what it's doing on the system.

    The environmental information will tell you what script was originally hit to upload the file (if you find the right running processes for that user anyway and the processes are still running).

Share This Page