CI 1.6.1 htacces changed via web

Posted: 03 July 2009 02:34 AM

[ Ignore ]

Summer Student

Total Posts: 2

Joined 07-03-2009

Hi all.
We use CI 1.6.1.
Yesterday htaccess somehow was changed on our hosting. System administrators don`t make this changes, so i think our project was hacked or framework somehow change htaccess file.

Iam right, or it just my paranoia?

Profile

Dam1an

Posted: 03 July 2009 02:51 AM

[ Ignore ] [ # 1 ]

Sr. Research Associate

Total Posts: 2690

Joined 05-18-2008

What sort of changes are you talking about, malicious ones?
Have you checked the access logs to see what users accessed the server just before the file was last modified

As a precaution, if you do think the account was hacked, change all your passwords (inc db)

Signature

I’m building a Project Management System for my 3rd year Uni project, Sign up to the beta
Track my progress | Post of the day: UI Designs
Get full auto complete support for CodeIgniter in Eclipse

Profile

DoktorPZ

Posted: 03 July 2009 03:03 AM

[ Ignore ] [ # 2 ]

Summer Student

Total Posts: 2

Joined 07-03-2009

Dam1an - 03 July 2009 02:51 AM
What sort of changes are you talking about, malicious ones?
Have you checked the access logs to see what users accessed the server just before the file was last modified

As a precaution, if you do think the account was hacked, change all your passwords (inc db)

Server has only WEB access for public. Also don`t have FTP access, only SSH access for developers. Also developer can access to files only via sudo, so i check all logs and i think changes can be done only via WEB.

Changes - we customize htaacess file and comment default rewrite rules, so yesterday they was uncommented. I check WEB logs and dont see any GET request to change htaccess file. So i think it can be done only via POST request.

Profile

Pascal Kriete

Posted: 04 July 2009 06:08 PM

[ Ignore ] [ # 3 ]

Moderator

Total Posts: 2828

Joined 01-07-2008

Have you informed your hosting provider of these events? They may be able to help determine what happened.

The changes you describe don’t sound malicious, so the first thing I would is talk to everyone who has write access for this file.

However if you think someone did this with malicious intent, there are some basic steps you can follow.
Firstly, I would highly suggest following Damian’s advice in changing passwords.
Secondly, make sure that the webserver does not have write permissions for the file - it only needs to read it.
Then go through you old scripts, if you have any, and assess if they can be upgraded (old forum or blogging software, etc). Don’t leave unused software in the webroot.
Lastly, I would do some basic due diligence on the security of your CI app. There are no known exploits of this type in any past versions of the framwork, but that does not make your own code immune.

Let us know what you find out, please.

Signature

Profile

MSG

‹‹ Profiler fails if model is assigned an alias Can’t watermark GIF images ››

Username		Remember Me?
Password		forgot password?

Post Marker Legend
	New posts	Hot Topic with new posts	New Poll	Moved Topic	Sticky topic
	No new posts	Hot Topic with no new posts	Old Poll	Closed Topic	Announcements

Visitor Statistics
The most visitors ever was 819, on March 11, 2010 11:15 AM
Total Registered Members:	120479	Total Logged-in Users:	21
Total Topics:	126554	Total Anonymous Users:	2
Total Replies:	665404	Total Guests:	295
Total Posts:	791958