- Knowledge wrote:
- When you got hacked before, how did they get in? Depending on how they compromised the server, htaccess may or may not help. Are you still seeing requests from IP blocks that you have denied in your htaccess file?
Yup.
They got in I am pretty sure by having public upload turned on (I turned it off) or through free e107 CMS plugins known to have backdoors in them.
When I restored to a backup a full week before the trouble started (I have all the way to 01/01/2011 so if need be I can back up even further!)
I deleted my entire forum, deleted all the plugins, changed all the passwords, moved phpmyadmin to still another alias, etc.
I just got new requests logged to my apache error.log
- Code:
-
[error] client 109.237.214.63 File does not exist: /(path omitted)/w00tw00t.at.blackhats.romainian.antisec:)
[error] client 109.237.214.63 File does not exist: /(path omitted)/MyAdmin
[error] client 109.237.214.63 File does not exist: /(path omitted)/phpmyadmin
====== Partial copy of my .htaccess ========
# e107 .htaccess script for hosts with mod_rewrite
# If e107 is not installed in the document root, then make RewriteBase
# RewriteBase /your-e107-folder/
<FilesMatch \.php$>
ErrorDocument 400 /error.php?400
ErrorDocument 401 /error.php?401
ErrorDocument 403 /error.php?403
ErrorDocument 404 /error.php?404
ErrorDocument 500 /error.php?500
</FilesMatch>
ErrorDocument 404 /404.html
ErrorDocument 403 default
RewriteEngine on
RewriteBase /
<Limit GET HEAD POST>
order allow,deny
# Manual Blocks
deny from 58.218.199.
# Country: AFGHANISTAN
# ISO Code: AF
# Total Networks: 22
# Total Subnets: 98,560
deny from 27.116.56.0/22
deny from 58.147.128.0/19
deny from 61.5.192.0/20
deny from 111.125.152.0/21
deny from 111.223.244.0/22
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
deny from 121.100.48.0/21
deny from 121.127.32.0/19
deny from 124.199.112.0/20
deny from 125.213.192.0/19
deny from 175.106.32.0/19
deny from 180.94.64.0/19
deny from 180.222.136.0/21
deny from 182.50.176.0/20
deny from 202.56.176.0/20
deny from 202.86.16.0/20
deny from 203.174.27.0/24
deny from 203.215.32.0/20
deny from 210.80.0.0/19
deny from 210.80.32.0/19
## Country: CHINA
# ISO Code: CN
# Total Networks: 3,410
# Total Subnets: 331,821,056
deny from 1.0.1.0/24
deny from 1.0.2.0/23
deny from 1.0.8.0/21
deny from 1.0.32.0/19
.... lots more countries added via countryipblocks.net (not that it is doing any good ...)
Yes at the bottom is an "allow from all"
hmm. do I need to change the top to say order "deny, allow" ??? I am pretty sure countryipblocks.net generated that part too.