Red Squirrel
No Lifer
I have a few sites on shared hosting, and it's the 2nd time I get hacked.
For certain scripts to work, such as uploading scripts, the folders the files go to must be chmodded 777 and most other files need to be 755 so the apache user can write to it. This means anybody on the server can read my files, including stuff like mysql passwords, as well as even execute scripts etc... This is a big security issue obviously.
Is this a problem that simply can't be beat and is something you have to live with in a shared environment, or is there anything I can do?
Also what is the best possible way to ensure a script cannot be executed from a folder? Right now I have a .htaccess file like this:
But this is not catch all. There may be other extensions I'm missing, or later on I might add more, etc... what is a catch all method? The biggest threat is most likely people uploading server side scripts to an upload directory then executing it through the web. I found a php "trojan" and that's most likely where the hacker did his dirty stuff. The stupid hacker was redirecting to another site using javascript, but that site was down... at least redirect to a site that works dummy! lol.
I plan to eventually move this to my own dedicated server, but I want to finish my control panel software first as administrating everything manually can be a pain.
For certain scripts to work, such as uploading scripts, the folders the files go to must be chmodded 777 and most other files need to be 755 so the apache user can write to it. This means anybody on the server can read my files, including stuff like mysql passwords, as well as even execute scripts etc... This is a big security issue obviously.
Is this a problem that simply can't be beat and is something you have to live with in a shared environment, or is there anything I can do?
Also what is the best possible way to ensure a script cannot be executed from a folder? Right now I have a .htaccess file like this:
Code:
AddType text/html .php
AddType text/html .phtml
AddType text/html .php4
AddType text/html .php3
AddType text/html .htm
AddType text/html .html
AddType text/html .php5But this is not catch all. There may be other extensions I'm missing, or later on I might add more, etc... what is a catch all method? The biggest threat is most likely people uploading server side scripts to an upload directory then executing it through the web. I found a php "trojan" and that's most likely where the hacker did his dirty stuff. The stupid hacker was redirecting to another site using javascript, but that site was down... at least redirect to a site that works dummy! lol.
I plan to eventually move this to my own dedicated server, but I want to finish my control panel software first as administrating everything manually can be a pain.
