Adding/Updating No execution text to htaccess in virus found directories
Posted: 26 Apr 2010, 23:42
Hi folks,
Ok, we've found clients with the usual c99 shell scripts installed and the thought occurred to me below.
Could CXS be set to either append this text to existing .htaccess files or add an .htaccess file to directories where obvious shell scripts have been located?
Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
Or, maybe you folks have a different approach?
What we do now is alert client to the hack then disable the execution of scripts in the directory via .htaccess:
Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
I prefer to not touch client's web site files for a number of reasons, and find that disabling the execution of scripts is more effective. This does a number of things:
1. Disables the hack instantly and any further hacks installed at a later date (both remediates and prevents attacks on client's site).
2. Disables the execution of PHP scripts, which may disable client's web site as well (which tends to get the client's attention and involvement...).
What you think folks?
Thanks,
Jim
Ok, we've found clients with the usual c99 shell scripts installed and the thought occurred to me below.
Could CXS be set to either append this text to existing .htaccess files or add an .htaccess file to directories where obvious shell scripts have been located?
Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
Or, maybe you folks have a different approach?
What we do now is alert client to the hack then disable the execution of scripts in the directory via .htaccess:
Addhandler text/plain .pl .cgi .php .py .jsp .asp .shtml .sh
I prefer to not touch client's web site files for a number of reasons, and find that disabling the execution of scripts is more effective. This does a number of things:
1. Disables the hack instantly and any further hacks installed at a later date (both remediates and prevents attacks on client's site).
2. Disables the execution of PHP scripts, which may disable client's web site as well (which tends to get the client's attention and involvement...).
What you think folks?
Thanks,
Jim