Protecting .htaccess files from web application exploits.

Over the last 18 months I have seen more and more new clients contacting me regarding their site being flagged by google as hosting malware or other problems. The client has checked their site and not been able to find any problems via their web browser.

The reason for this is the htaccess hack I mentioned in a previous post from 2013.  You can see the original article htaccess hack.  I came up with a solution to protect existing clients just in case.

Most good Linux Admins know about the Immutable bit you can set on files but not many end users do. This feature is only available if you have your own VPS or Root server.

What the immutable bit does is prevent a file from being modified in any way even by the root user until the bit is cleared.

You use the chattr command to do this. For example.

chattr +i <filename>

I use two commands in the .bashrc file as follows;

protect-htaccess() {
        find /var/www/ -name .htaccess -exec chattr +i {} \;
}

unprotect-htaccess() {
        find /var/www/ -name .htaccess -exec chattr -i {} \;
}

These find all the .htaccess files and apply and remove the Immutable bit. You could extend this to all php files as well if you wanted.

With these commands in your .bashrc file you can just call protect-htaccess and unprotect-htaccess.  If you want to edit a .htaccess file you would need to unprotect the files first.

It is not a solution to all hacks. But it does prevent this one from being easy. The hacker would have to gain root and know about the chattr command. The vast majority of these type of hackers are drive by script kiddies (although not all). They will look for an easier target or give in when they can’t make this change.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.