Page 1 of 1

Need Security Advice Fast

Posted: Wed May 04, 2005 6:24 pm
by charp
I know that I'm doing this backwards by posting first and searching later, but I need help on this issue fast. Please accept my apologies.

Here's my situation. I just learned that a student at my high school has hacked my passwords for the school's web site (I'm a staff member and the webmaster) and I need to plug these security holes ASAP. The word is that my .htaccess passwords were hacked with a tool called "John XXX XXXXXX" [I won't print the actual name of the program just to be safe] and that he may have hacked his way into some passwords in my PHP files.

I know this is a PHP forum, but if anyone could point me to a good resource for securing my htaccess files, I'd really appreciate it. As for the security of my PHP files, I'll describe how I have things set up and hopefully some of you experts can comment and help me increase security. Thanks in advance.

All of the passwords I use in PHP are located in a configuration file stored outside the public_html directory of our web site, which is on a shared hosting account. Pages inside the public_html directory call for this file by use of an include statement. The configuration file contains the database and table names, login name, and password.

Okay, just how vulnerable am I? And how do I improve the security?

Posted: Wed May 04, 2005 6:42 pm
by Sphen001
Hi,

Well, the good news is that your setup is pretty secure already. The first thing you do with a hacking is change every password you have. Make them something completely different. The usual advice, is a mixture of letters and numbers, upper and lower case, and don't repeat passwords. Second, unless the student got access to the actual machine the PHP files are on, it's unlikely they got those passwords. Third, in the Apache conf file, there is a swtting that prevents .htaccess and .htpasswd files from being viewed. I don't know what it is called or what the value is, but you should check your conf file against a new one to make sure they match. This should help your security. Also, go through the web directory and make sure you can identify every file.

I hope this helps :D

Sphen001

Posted: Thu May 19, 2005 1:00 pm
by hanji
Hello

How did the attack happen? Did he get the contents from .htpasswd via the browser, or did he have FTP, etc. to access them? Does the attacker have access to any directories? Does the attacker have access to write PHP scripts on the server? I think starting with his entry/access options is the first step to securing the box. Is the box windows or linux?

Thanks
hanji

Posted: Tue May 24, 2005 10:44 pm
by charp
hanji,

After some research elsewhere, I believe I know how this happened. First off, the site is hosted on a shared server (private hosting, not school related) and all the students have been assigned an FTP account to their own subdirectories. As I now understand, it is possible to use PHP to read the contents of files -- including .htaccess files and other php files -- even though the FTP account doesn't allow access outside the specific subdirectory. The problem is that the posted files have rights to read all other files on the site, including files outside the public_html directory.

With the FTP access, the student could have viewed the encrypted .htaccess password and cracked it offline. Apparently, my use of a common dictionary word made the cracking relatively easy. Since then, I have made use of *strong* passwords.

There doesn't seem to be much that I can do about this situation that doesn't involve a drastic change in the way I teach my course. In the future, I will move all my critical files to another site and restrict the class site to simply hosting student projects. For now, that's a workable solution.