Home › Forums › Support Forum › Blocking Injections
This topic contains 5 replies, has 3 voices, and was last updated by Anti-Malware Admin 5 years, 10 months ago.
-
AuthorPosts
-
October 26, 2018 at 1:37 pm #2181
Most of my sites seem to be continually hacked, no matter how many times I scan and clean the files. Typically it is the uploading of PHP and ICO files along with code injection to existing files. In an effort to block the injection I am looking at setting custom permissions and wanted some feed back as your thoughts…
All *.php files set to 544 to avoid writing permission or prevent injection.
Folders set to 555 and,”wp-upload” to 755.The wp-config file would need to be 755 else plugins such as GOTMLS would not be able to write in the brute force code to it.
I have also been working on a custom htaccess file for the uploads folder. GOTMLS flags it as a threat for some reason…
# Only allow the following direct access to the uploads directory
RewriteCond %{REMOTE_ADDR} !^(?:xxx\.xxx\.xxx\.xxx)
RewriteCond %{HTTP_HOST} !^localhost$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://(?:[^.]+\.)?example\.com/ [NC]
RewriteRule .? http://example.com [L]# Disable hotlinking of images
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(?:jpe?g|png|gif)$ [NC]
RewriteCond %{HTTP_REFERER} !^(?:https?://(?:[^.]+\.)?example\.com/|$) [NC]
RewriteRule \.(?:jpe?g|png|gif)$ – [NC,F]# Only allow GET and POST request methods
Deny from all
For those that do not know what each line does, I’ve broken it down here. By first listing the rule, then following up with a description of what it does:
# Disable any cgi-scripts and prevent directory browsing
Options -ExecCGI -Indexes
This is first to disable any cgi-scripts, it is connected with another rule below. Then it prevents directory listing, viewing, etc.# Whitelist the following file extensions
# This includes the blocking of double extensions using [^.]
Order Allow,DenyAllow from all
This is the whitelisting of certain file extensions. This is case insensitivity and blocks any double extensions, like something.php.jpg or similar. You must note that if users upload legitimate file extensions with a literal period in the filename, it will also be blocked. This is why it’s always a good idea to incorporate some type of file renaming utility when they upload files.
# Secure MIME-types
ForceType image/jpeg
ForceType image/png
ForceType image/gif
January 6, 2019 at 1:15 pm #2205Sorry I didn’t see this post until just now, I somehow missed the notification.
This .htaccess code that you posted is not detected as a threat in the newest version of my definition updates, so maybe I fixed it already or else there is a subtle variation from this code that you posted and the code that you have in your .htaccess files.
Let me know if this is still a problem and you can send me the exact code that is flagged so that I can fix it.
January 30, 2019 at 2:48 pm #2213Steven did you get this resolved? I am having same issue on my sites….
January 30, 2019 at 6:24 pm #2214I had thought that this issue was already resolved. As I said in my first reply: if this is still a problem you can send me the exact code that is flagged so that I can fix it (again).
January 31, 2019 at 9:17 am #2215I have a similar problem that Steve has i never posted my problem here but it looks like the malware is being re-injected into all my websites within 24-48 hrs….
I have no idea how to clean databases and i checked raw logs – there are some entries that do not belong for sure.
I have read posts that you guys are planing DB cleaning tool and i was wondering if it will ever be completed – i think many people will use it and i would donate right away if it will fix the issue. Right now all i do is constantly scanning sites and removing those malicious files.
February 2, 2019 at 7:19 am #2216It sounds like you are not actually having the same problem as Steve. Also, the database scan feature is already finished and is part of the current version of my Anti-malware plugin, so if you have the latest version you should see that the DB scan is included in the complete scan.
It sounds like you have multiple sites on the same shared hosting plan and they’re all getting reinfected by the malware spreading back and forth from one site to the other. In cases like this it is essential to get all the malware off of the server at one time so it doesn’t have chance to replicate itself to the sites that you’ve already cleaned. Depending on the security on server and the number of infected sites you have, and if this malware is also spreading from other accounts on the server that are not within your control, you may have to move your sites to a more secure hosting environment in order to get them clean and keep them clean.
-
AuthorPosts
You must be logged in to reply to this topic.