Fli
11-16-2014, 07:28 PM
Hello,
do You know any good way how to protect PHPBB from malicious code injection into PHPBB .php files?
i think it can be good idea to generate new strong password for hosting account, then following things:
1) disallow direct execution of .js, .php and .html from following PHPBB folders:
admin/
cache/
contrib/
docs/
files/
images/
includes/
language/
store/
styles/
umil/
so i added into them .htacces with following content:
# protect hosting account from directly executing htm* php* and js files
<Files *.php*>
Deny from All
</Files>
<Files *.js>
Deny from All
</Files>
<Files *.htm*>
Deny from All
</Files>
# Disallow listing files in this folder & subfolders
Options All -Indexes
linux commands on how to create file and copy it to all phpbb folders:
cd /home/myusername/public_html;mkdir httest;cd httest;vi .htaccess
then "a" key and paste in it above code (mouse right click)
then "Ctrl + C" and then ":wq"
then give proper username permissions to a file, so it is not root:root for example: "chown myusername:myusername httest/.htaccess"
then copy file preserving permissions and not overwriting existing .htaccess: cp -np .htaccess ../admin ../cache ../contrib ../docs ../files ../images ../includes ../language ../store ../styles ../umil
then delete source .htaccess we used for copying: cd ..;rm -rf httest
2) disabling folders&subfolders and files WRITE permissions on phpbb folders except "/cache" and avatars & attachments upload directories.
My directories have 755 permission and files 644 permission (config.php has 600)
FIND FILES/FOLDERS WITH WRITING PERMISSION:
find /home/myusername/public_html -path "*files*" -prune -o -path "*cache*" -prune -o -type f -perm 0666 -o -perm 777
-- DIRECTORIES OPERATIONS --
CHANGE ALL DIRECTORIES PERMISSIONS SO THEY DONT ALLOW WRITING NEW FILES:
find /home/myusername/public_html -type d -exec chmod 555 {} \;
ENABLE WRITING PERMISSIONS TO FOLDERS THAT REQUIRE WRITING:
chmod 755 images/avatars/upload;chmod 755 cache;chmod 755 store;chmod 755 files
-- FILES OPERATIONS --
CHANGE ALL FILES PERMISSIONS TO DISALLOW WRITING INTO THEM (SKIPPED WILL BE "FILES" AND "CACHE" DIRECTORIES)
find /home/myusername/public_html -path "*files*" -prune -o -path "*cache*" -prune -o -type f -exec chmod 544 {} \;
PREVENT VIEWING OF CONFIG.PHP BY SETTING ITS CHMOD BACK:
chmod 600 config.php
3) if hosting was hacked, and some files modiffied
when site was compromised and some .php files modiffied by hacker. One should check all folders sorting files by modiffication date. Discovering which files was modiffied and what is the approximate date range the modiffications happend.
Once one have date range, one can search website files for ones odiffied in this range. I use linux command:
find . -type f -name "*.php" -newermt 2014-09-01 ! -newermt 2014-10-14
(finds files modiffied from 01 September to 14 October)
when site was really damaged, its better to backup phpbb files and then restore old backup of files & then apply .htaccess files mentioned above in step 1) and 2)
that is what i think, what is Your experience?
do You know any good way how to protect PHPBB from malicious code injection into PHPBB .php files?
i think it can be good idea to generate new strong password for hosting account, then following things:
1) disallow direct execution of .js, .php and .html from following PHPBB folders:
admin/
cache/
contrib/
docs/
files/
images/
includes/
language/
store/
styles/
umil/
so i added into them .htacces with following content:
# protect hosting account from directly executing htm* php* and js files
<Files *.php*>
Deny from All
</Files>
<Files *.js>
Deny from All
</Files>
<Files *.htm*>
Deny from All
</Files>
# Disallow listing files in this folder & subfolders
Options All -Indexes
linux commands on how to create file and copy it to all phpbb folders:
cd /home/myusername/public_html;mkdir httest;cd httest;vi .htaccess
then "a" key and paste in it above code (mouse right click)
then "Ctrl + C" and then ":wq"
then give proper username permissions to a file, so it is not root:root for example: "chown myusername:myusername httest/.htaccess"
then copy file preserving permissions and not overwriting existing .htaccess: cp -np .htaccess ../admin ../cache ../contrib ../docs ../files ../images ../includes ../language ../store ../styles ../umil
then delete source .htaccess we used for copying: cd ..;rm -rf httest
2) disabling folders&subfolders and files WRITE permissions on phpbb folders except "/cache" and avatars & attachments upload directories.
My directories have 755 permission and files 644 permission (config.php has 600)
FIND FILES/FOLDERS WITH WRITING PERMISSION:
find /home/myusername/public_html -path "*files*" -prune -o -path "*cache*" -prune -o -type f -perm 0666 -o -perm 777
-- DIRECTORIES OPERATIONS --
CHANGE ALL DIRECTORIES PERMISSIONS SO THEY DONT ALLOW WRITING NEW FILES:
find /home/myusername/public_html -type d -exec chmod 555 {} \;
ENABLE WRITING PERMISSIONS TO FOLDERS THAT REQUIRE WRITING:
chmod 755 images/avatars/upload;chmod 755 cache;chmod 755 store;chmod 755 files
-- FILES OPERATIONS --
CHANGE ALL FILES PERMISSIONS TO DISALLOW WRITING INTO THEM (SKIPPED WILL BE "FILES" AND "CACHE" DIRECTORIES)
find /home/myusername/public_html -path "*files*" -prune -o -path "*cache*" -prune -o -type f -exec chmod 544 {} \;
PREVENT VIEWING OF CONFIG.PHP BY SETTING ITS CHMOD BACK:
chmod 600 config.php
3) if hosting was hacked, and some files modiffied
when site was compromised and some .php files modiffied by hacker. One should check all folders sorting files by modiffication date. Discovering which files was modiffied and what is the approximate date range the modiffications happend.
Once one have date range, one can search website files for ones odiffied in this range. I use linux command:
find . -type f -name "*.php" -newermt 2014-09-01 ! -newermt 2014-10-14
(finds files modiffied from 01 September to 14 October)
when site was really damaged, its better to backup phpbb files and then restore old backup of files & then apply .htaccess files mentioned above in step 1) and 2)
that is what i think, what is Your experience?