[ale] anybody got a stock .htaccess for read-only apache website
DJ-Pfulio
djpfulio at jdpfu.com
Fri Aug 11 14:32:05 EDT 2017
I would assume a php addon has a security problem or some custom php code has
some flaw.
Is there a reason rsync+ssh isn't used - or even git? git cryptographically
validates. "Because we never needed to before" **is** a value answer. ;)
On 08/11/2017 02:12 PM, Neal Rhodes wrote:
> Apparently my Godaddy linux apache website has been hacked by someone who
> planted some bogus .php files, and overwrote my primary .htaccess.
>
> Godaddy discovered it.
>
> I removed the offending .php files.
>
> I removed the clauses in the primary .htaccess which appeared to feed those
> bogus .php files.
>
> I have asked Godaddy to provide me with their recommended stock, restrictive
> .htaccess file for read-only websites. All of our static html is updated by
> me via ssh. I do not know how someone managed to alter my website. I would
> guess they used some tool Godaddy provides which isn't configured properly to
> restrict, or which has a default login.
>
> Thus far they are running around in circles.
>
> Does anyone have a best practices .htaccess file to start with? I'm guessing it
> would be something starting with...
>
> IndexIgnore .htpasswd .htaccess */.??* *~ *# */HEADER* */README* */_vti*
>
> <Limit POST PUT DELETE>
> require valid-user
> </Limit>
>
> AuthName webuser
> AuthUserFile /var/www/cgi-bin/.htpasswd
>
> AuthType Basic
>
More information about the Ale
mailing list