.htaccess denying php files. Site wrecker?

[burlington]

The reason behind my topic http://forum.cmsmadesimple.org/viewtopi ... 28&t=74310
caused me to find this:
The folders on this site contact a number of .htaccess files. At random, I downloaded one of them and opened it. It reads:
<quote>
# To deny PHPs
<Files ~ "\.(php|php3|php4|php5|phtml|pl|cgi)$">
order deny,allow
deny from all
</Files>
</quote>

Is this what I think it might be, ie to deny loading php, thus wrecking a site?

[Jeff]

It is to stop direct loading of php files (there are very few files that are loaded directly and they are in / and admin/). It is by design to prevent someone from placing a file hack_file.php deap in the site and use it to send spam or do other malware.

Thanks,
Jeff

[burlington]

Thanks Jeff

Bearing in mind that I, as site admin, did NOT place that file on the server, may I assume that it was placed maliciously. It is dated 0154 hrs 31/1/16 and to the best of my knowledge nothing has moved on that site for some months.

Regards

Martin

[Jo Morg]

It is by design to prevent someone from placing a file hack_file.php deap in the site and use it to send spam or do other malware.

As Jeff said it is by design, to prevent malicious code to be executed. The only way to know if the files were installed by CMSMS is to do a checksum against the version installed. Besides the dat files provided by CMSMS (they are on the forge) for each version, there is also the possibility to generate your own checksum files after the site is finished, which are more extensive than the one provided.

Other than that you should not assume anything... The .htaccess directives are correct, it just depends on which folders they are set.

Your best bet is to:

1. overwrite the files with a fresh copy of the CMSMS from the same version as the original;
2. import the sql file into the db;
3. do a checksum test;
4. remove the installer folder from the site;
5. read our docs about CMSMS security and implement its recommendations;
6. try to assess if there are other scripts that might present vulnerabilities and eventually fix them or remove them;
7. change all passwords (ftp and db too);
8. upgrade CMSMS and 3rd party modules;
9. create fresh backups;
10. generate a new checksum file just for the site;

I would check the access logs of the site frequently to see if there are further attempts to gain access to the site.

[Rolf]

Your best bet is to:
1. overwrite the files with a fresh copy of the CMSMS from the same version as the original;

That is not sufficient, because it will not affect newly placed "bad" files.

You need to remove *all* files from the server and put back the freshly downloaded core and module files from the Forge. Afterwards manually upload all images etc. one by one back. Just to be sure you don't upload a hidden bad file again.

This is the only way to be sure your server is clean of bad files.

[Jo Morg]

For the record: if the OT had full backup of the files, I would agree of course . Not being that the case, and not being able to recover the original files, I would follow the above steps, even knowing there is a certain level of risk involved. But those steps would allow to tell the files of a CMSMS installation from the rest, and then a triage would be relatively simple.

[Rolf]

In my experience the OP should make a copy of the current state of files as a backup and start from there. Not from a previous backup...

I have fixed several sites in the last years this way. You have to be very careful or you will be hacked "again". Well you are *still* hacked. As an example I have seen image.jpg files that were in fact scripts.

Might do a blog on this some day, but in Dutch it is already described here:
http://forum.cmsmadesimple.org/viewtopi ... 52&t=45525

[burlington]

I think I have decided what to do.
Looking at my files this morning, I have found a complete copy of an earlier version of this site in HTML, before I 'graduated' the site to CMSMS. All 3 languages, as it was tri-lingual: ENG/FR/DE/, with language switching. The CMSMS version does not work anyway and I am going to ask the host to 'clean' the server so I can start again clean, using CMSMS 2.xx.
Recreating 'feel' & content should now present no problem. All images etc to go on the new site will be from my system, not from the files left on the server. Most of my files date from when the HTML site was first created in HTML, circa 2007. They have been scanned and should be 'clean'.
I really am very grateful for the advice I have received. Thank you. It has been a traumatic 24 hours.
Regards
Martin