tags:

views:

158

answers:

4
Q: 

prevent hack a site by linux multi Support ability

One of the site Hacking methods written in php in apache server The use Images with prefix. Php such as .php.gif that apache is trying to run it How can htaccess configuration to disable this feature

A: 

Disabling PHP sounds good, but what would really help is for you to prevent users from uploading files to your web server which they then can access from the web. If you can't change your site in that way, at least put in some checking such as a regular expression for filenames and validation of the file format submitted.

I don't understand how a valid GIF-format image could legally also be a PHP script, but I'd like to see an example file if that is the case. Sounds delightful.

Heath Hunnicutt  2009-11-10 05:57:44
A: 

View image files is not necessary Hacker upload file such as image, but Writes itself php code and ... will be running the Server

ojo  2009-11-10 06:07:15
A: 

I get what is being asked. I actually know a guy who configured his server in such a way that this is an issue. It is simple to prevent.

Don't allow for extension-less PHP files. so example.com/foo goes looking for example.com/foo.php . if you do, your user supplied image foo.gif.php might get run.

If you do it anyway, make sure you do proper extension checking with the built in commands, or with a proper regex. Also, make sure you properly validate any files the user uploads.

Basically, you have to really not know how to use PHP and a web server to quite a large degree. You practically have to want to be hacked :) So many problems have to come into alignment for this to be an issue. I wouldn't worry about it too much

EDIT:

I noticed someone suggested that the OP is already hacked. Some people will drop code into your server as a poor man's back door.

look for an .htaccess file with something like this:

<FilesMatch "^.*\.gif">
SetHandler application/x-httpd-php
</FilesMatch>

Honestly, if they are that far into your system, you are better off formatting it and starting over. who knows what else is on there at this point.

cgr  2009-11-10 07:12:53
A: 

best way is set in your upload folder this code

 <Files ~ "\.(?i:php.*|(s|p)html|cgi|pl)$">
deny from all
</Files>
 

daniel  2009-11-10 15:36:11

related questions

Performance of using static methods vs instantiating the class containing the methods
Asp.Net Static method to refresh page
How to format methods with large parameter lists
How to find where a ruby method is defined (at runtime)?
Object arrays in method signatures
How to indicate that a method was unsuccessful
Method access in Ruby
What is the difference between a method and a function
Java: Enum parameter in method
Php redefine Class Methods OR Class
How can I use an event to cause a method to run?
Using 'this' as a parameter to a method call in a constructor
How to use one object's method to update another object's attribute?
All possible uses for the Application.SysCmd Method
Python - Get Instance Variables
What are the semantics of a const member function?
Why Does Ruby Only Permit Certain Operator Overloading
Regex that Will Match a Java Method Declaration
Why does a "file exists" method in many languages return true for a directory?
Why can't I declare static methods in an interface?
Call Project Server Interface web method from an msi installer
Generics in c# & accessing the static members of T
Visual Studio refactoring: Remove method
Which Agile software development methods have you had the most success with?
Using object property as default for method property