Serious security issues

[zar2]

Wordpress sites have been hacked.. I believe Apache configuration is wrong. and "security" guys only say:

"Unfortunately as you are on a shared server, we will not recompile a server-wide service for you. Directory listing is not that much of an issue, what you should do is use the .htaccess to prevent this.
Rob Field
Network Security / Abuse Division
866-964-2867 (General Support)
281-476-7801 (Abuse/Security Fax)"

This is the way that Apache must be configured:

http://mattbrett.com/wp-includes/

not this:

http://www.mentefactura.com/wp-includes/

And by the way, here is how to fix it:

Using an editor like vi , edit the httpd.conf file and scroll until you find a line like this:

Options All Indexes FollowSymLinks MultiViews

To disable directory browsing carefully remove the line that says: Indexes and leave the line like this:

Options All FollowSymLinks MultiViews

Restart your apache webserver and thats it

Ticket: FAR-3031292

[striddy]

Quote:

Originally Posted by zar2

Wordpress sites have been hacked.. I believe Apache configuration is wrong. and "security" guys only say:

"Unfortunately as you are on a shared server, we will not recompile a server-wide service for you. Directory listing is not that much of an issue, what you should do is use the .htaccess to prevent this.

It's great that you are being security conscious.

To alter this apache behavior yourself, login to cpanel > index manager > set to no indexing.

[zar2]

I appreciate,

wouldn't be easier that the default is deny directory browsing; it is very widely recognized that directory listing is a security threat:

http://www.webappsec.org/projects/th...indexing.shtml

From all my sites, 100% dont require directory browsing enabled, and that I believe is for most of users.. then it is more logical to have it disabled by default than go through all the domain disabling it..

Besides, this is the first reseller provider that I see directory browsing is enabled.. and I know many of them.

[striddy]

Quote:

Originally Posted by zar2

wouldn't be easier that the default is deny directory browsing; it is very widely recognized that directory listing is a security threat

It may or may not be easier for HG to implement. They have hundreds of servers so to alter this on them all is a major undertaking.

You have addressed your concern with HG by email so they are aware of your viewpoint and suggestion. But naturally it's up to them what course of action is taken now or in the future.

[gwyneth]

Quote:

Originally Posted by zar2

And by the way, here is how to fix it:

Using an editor like vi , edit the httpd.conf file and scroll until you find a line like this:

Options All Indexes FollowSymLinks MultiViews

To disable directory browsing carefully remove the line that says: Indexes and leave the line like this:

Options All FollowSymLinks MultiViews

Restart your apache webserver and thats it

I agree with Dave that it's great you're being security conscious. And when support told you to use your .htaccess, it should have added "or the cPanel index manager".

But you really wouldn't want to use a hosting firm that didn't know how to edit a httpd.conf file or needed to be told to be careful doing it. The way you worded your ticket is like telling a car mechanic how to attach a battery cable terminal.

[zar2]

People who can read will understand and see what side has the reason on what should be the web server default settings.. regarding to directory browsing =D

[ghpk]

Most hosting companies do allow directory browsing, however there are two things to be aware of
1). good script writers include a blank index.htm page on each folder their scripts creates.
2). security conscious users make use of index manager to turn off the index as per their preference.

Forcing anything which affects all the users is not what most hosts would like to do on a shared account.

[Karin]

Okay, so I went into cpanel and turned off indexing on my public_html folder. I believe this also protects any subfolders in public_html that don't have an index file.

Do I also need to do this on the other main folders? (tmp, etc, mail, access.logs, and public_ftp)

[slapshotw]

No, don't worry about those folders.

[GatorPatrick]

I apologize your site was hacked, I truly understand how frustrating a situation like that can be. Hopefully I can clear some things up and offer some suggestions which might benefit you.

While indexing usually isn't a huge security risk, it is definately better to disable it if you're not using it for any specific reason. A note, you can actually disable this through cPanel as earlier mentioned or via .htaccess with a simple options statement.

Quote:

Options -Indexes

Also, when using public scripts like Wordpress, Joomla, etc I cannot express how important it is to keep those scripts updated. While it may be a pain to upgrade them when using third party modules (which pretty much everyone does) it is SO important to stay up to date.

Simply staying on the latest version will avert about 95% of the attacks your site will receive.

Finally, now that we are migrating the servers to Apache2 we are going to be offering a far more robust set of mod_security rules. These rules encompass far more than our old rules since Apache2 offers us more room to employ some of the techniques we've always wanted to use without hindering performance.

We take security very seriously here at HG and if you have any questions please just PM me and I'll be more than happy to assist you.

Thanks for your patience and thank you for choosing Hostgator!

[slapshotw]

Quote:

Originally Posted by GatorPatrick

These rules encompass far more than our old rules since Apache2 offers us more room to employ some of the techniques we've always wanted to use without hindering performance.

Can you be more specific about this for the sake of dedicated server customers?

[mp3]

The original post seemed a little hostile to me considering the fix is a do-it-yourself, single line edit in an .htaccess file.

Turning off directory listings in locations that you don't need them is a good idea, but it doesn't make up for poor security decisions elsewhere.

[Abel1337]

Quote:

Originally Posted by striddy

It's great that you are being security conscious. http://images.mydetaileddetail.com/i...tebx/smile.gif

To alter this apache behavior yourself, login to cpanel > index manager > set to no indexing.

Thanks for teh info man! You helped me out as well!

[AaronLS]

No indexing should absolutely be default in my opinion.