How did this guy hack into my site?

ajoyprabhu

Joined: 2002-09-26
Posts: 65
Posted: Tue, 2003-12-23 13:50

Hi guys,

A guy registered at my site with a phony name, then there was no activity for 29 minutes (got that from my log file), and THEN proceeded to view a sub-album 2 levels deep!! I have set the permissions on this sub-album set to allow anyone "logged in" since the sub-album 1-level deep has a list of people that can view, I figured that no one would know the EXACT url for the 2-level deep subalbum (WRONG!).

:-?

So, my question is, how can oen figure out the exact URLs of albums you cant even see? FYI, I have not yet figured out how you guys use the .htaccess file. Still learning...

Any hints to secure woudl be greatly apprecaited!!

Thanks,
Ajoy

 
alindeman
alindeman's picture

Joined: 2002-10-06
Posts: 8194
Posted: Tue, 2003-12-23 15:09

[edited]

I'll improve the securing docs about how to prevent this.

 
ajoyprabhu

Joined: 2002-09-26
Posts: 65
Posted: Tue, 2003-12-23 15:41

Andrew,

2 questions, how did you figure out that the albums are in the 'albums' directory and...2nd, could you not leave the albums exposed like this and get rid of the url that you posted!!

I know I asked fo rit, but I don't mean present my sites vunerabilty to everyone! :-?

Thanks!

:)

Ajoy

PS: Nevermind, I figured the first part. It is evident from the source code, where the albums reside! Duh! That was dumb! :-?

BUT, BUT, BUT....can I change the albumdb.dat file name to something else??? Will THAT help??

 
alindeman
alindeman's picture

Joined: 2002-10-06
Posts: 8194
Posted: Tue, 2003-12-23 17:12

No, but try adding a .htaccess file to your albums directory that looks like this:

<Files "*.dat">
deny from all
</Files>

 
ajoyprabhu

Joined: 2002-09-26
Posts: 65
Posted: Tue, 2003-12-23 20:32

GREAT. Thanks! as regards .htaccess, do I have to edit the http.conf file in apache AND add the .htaccess file? I am a bit confused about that.

:/

 
alindeman
alindeman's picture

Joined: 2002-10-06
Posts: 8194
Posted: Tue, 2003-12-23 21:23

No. If you have the correct "AllowOverride" settings on, .htaccess should be fine. If it doesn't work, tell me and I'll walk you through what you need to change in httpd.conf

 
ajoyprabhu

Joined: 2002-09-26
Posts: 65
Posted: Wed, 2003-12-24 15:36

ok. I am lost. If I try to put ANYTHING in the .htaccess file (in the albums directory), the pages appear without images! :(

I have set up httpd.conf file as follows:

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

<Directory c:\Apache\htdocs>
AllowOverride Options FileInfo
</Directory>

<Directory c:\apache\htdocs\albums>
Options None
AllowOverride All
</Directory>

<Directory c:\apache\htdocs\album>
Options Indexes FollowSymLinks MultiViews
AllowOverride Options FileInfo
</Directory>

Bet something is wrong there, right? Do I need to restart the Apache server, or does it pick up these changes automatically?

Like I said, me still learning...(still, after so many years!!)

:)

Ajoy

 
valiant

Joined: 2003-01-04
Posts: 32509
Posted: Wed, 2003-12-24 16:11

if you change httpd.conf you gotta restart apache.

 
ajoyprabhu

Joined: 2002-09-26
Posts: 65
Posted: Wed, 2003-12-24 17:10

ok. I did that, and still all I get is the html page but no images come through

So, this is my .htaccess code..

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.ajoy.no-ip.org/.*$ [NC]
RewriteCond %{REMOTE_HOST} ^.*\.shutterfly.com$ [NC]
RewriteRule ^/albums/.*\.(jpg|gif|avi|png)$ - [F]
</IfModule>

<Files "*.dat">
deny from all
</Files>