The Cache: Technology Expert's Forum
 
*
Welcome, Guest. Please login or register. September 18, 2019, 12:54:33 PM

Login with username, password and session length


Pages: [1]
  Print  
Author Topic: Advice needed re file naming and external access  (Read 2649 times)
dink
Expert
****
Offline Offline

Posts: 349


View Profile
« on: June 07, 2007, 09:33:03 AM »

Not sure if this is the right section for this, but I'm pretty sure it will be moved if there is a better place.   Grin

Wandering around in server logs yesterday when I saw an entry that chilled my shit. 
Somebody called for my config.inc file and it returned a code 200.  That means some joker has my information, right?

Now, config.inc is used on this site to access the database (mysql) for this site.  It happens that the config data is used by two more sites that use the same db. 

So, three websites that use this db to produce dynamic pages have been (potentially) compromised.

I'll have to go in and change the password for this db, then make a new config file, then change all of the pages on the three sites that use this.....yadda yadda.....

Getting bored just typing this stuff.  Imagine your pain reading it.

So how do I protect myself from a similar problem in the future?  My first thought was to name the config something like endlessJunk.php  or shitless.js.  Not sure if that will provide the protection I need.

What do you suggest?

Logged

[quote Nutballs]
the universe has a giant fist, and its got enough whoop ass for everyone.
[/quote]
perkiset
Olde World Hacker
Administrator
Lifer
*****
Offline Offline

Posts: 10096



View Profile
« Reply #1 on: June 07, 2007, 10:53:26 AM »

There are several ideas, but an immediate one would be to trap it in Apache... if anyone ever calls for config anything rewrite the URL to a Fuck You page. EG:

RewriteEngine on
RewriteCond  %{REQUEST_URI}   config
RewriteRule   ^(.*)$   http://http://goatse.ca/   [L]

IMPORTANT NOTE - I MEAN REALLY IMPORTANT - that URL is a JOKE and is NSFW

there's other ways in apache's .htaccess with the Directory directives, but I am not as familiar with that. Also, you could simply include config.inc from another directory that is readable by the PHP interpreter, but not in a place where it can be accessed by the outside world. A simple example:

<?php
$includeDir = '/www/privateDirUnavailableToApache';
require_once("$includeDir/config.inc");

Now, even though the PHP file can see it, it cannot be called - assuming that the DocumentRoot for <this website> is something like /www/mySites/thisSite

Good luck - that's a DRAG! My personal thing is to mod_rewrite EVERY request into a php handler - for example, main.php - and everything else becomes a GET parameter that I either understand how to handle ot treat as a hack attempt.

/p
Logged

It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
dink
Expert
****
Offline Offline

Posts: 349


View Profile
« Reply #2 on: June 07, 2007, 11:49:47 AM »

Quote
Good luck - that's a DRAG!

Thanks for that.  You've spun my gears on the solution.

Logged

[quote Nutballs]
the universe has a giant fist, and its got enough whoop ass for everyone.
[/quote]
Pages: [1]
  Print  
 
Jump to:  

Perkiset's Place Home   Best of The Cache   phpMyIDE: MySQL Stored Procedures, Functions & Triggers
Politics @ Perkiset's   Pinkhat's Perspective   
cache
mart
coder
programmers
ajax
php
javascript
Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC
Seo4Smf v0.2 © Webmaster's Talks


Valid XHTML 1.0! Valid CSS!