How do I Protect Config-inc.php?

[creativepart]

As I reported elsewhere someone seems to have gotten access to my Config-inc.php file and the result is they got access to my database password.

How else could they create a completely new set of Classified tables in my database? Luckily, I had a custom db prefix on all my tables, because the db tables they installed had the default prefix and so nothing was lost.

But they also got a config-inc.php up to my server somehow and it had my db name, db username and db password in that file. Along with the default table prefix.

When people went to the Classifieds site they found basically nothing as the guy only set up a few items. Most things pointed to www.domain.com/ppclassifieds.

I'd like to .htaccess protect the config-inc.php file. Can that be done? In vB they put the config file in the includes folder and it is protectable with .htaccess.

[Chuck S]

Did you leave your install file on the server?

If you go to someone's config file nothing is shown on screen so somehow they had to get ftp access to your site. You can also set the file to 644

[creativepart]

Nope I deleted it. I thought maybe I had just changed the folder name, but I just checked and I deleted it.

Paul

[Chuck S]

well just make the config file 644

[blankoboy]

I didn't think this was possible? I would hazard a guess that the only way this could happen is if PHP were to fail on the server so that none of the php was processed before the webserver hands it off to the client. Is that possible?

Chuck, would you recommend then that all PP customers set their 'config-inc.php' to chmod 644 (rather than 666)?

[Michael P]

I'm not sure how the file could be changed without some kind of rogue script somehow being manipulated to do so; but if they had that kind of access, I doubt they would be messing with our config-inc.php.

[creativepart]

I didn't think it was possible either. But I may have had my config-inc.php set for 777. I had just converted from one forum integration to another and I know I had set the config integrattion file too 777.

I don't know if that would make a difference or not.

I have a strong password, so I doubt that this got figured out... but with the password in plain text in this file it is worrisome.

[creativepart]

How else could an entirely new set of tables appear in my database with "pp_" prefixes and filled out with all sorts of info in the settings table pointing to www.domain.com/ppclassifieds.

Could the program create it's own complete set of tables from a config-inc.php?

I ask because I was working with the config files after a migration to a new forum the day before. I suppose I could have uploaded a new config-inc file with everything but the correct sql table prefix. But without the install being applied how could the database with "pp_" tables be created?

And, if it could, would the default path items in that database pp_settings table be: www.domain.com/ppclassifieds?

Here is some of the pp_settings table from this new database that showed up the other day:

Quote:

#
# Dumping data for table `pp_settings`
#

INSERT INTO pp_settings VALUES (1, 'Title for your PhotoPost Classifieds', 'galleryname', '', 'PhotoPost Classifieds', 1, 1);
INSERT INTO pp_settings VALUES (2, 'Web site name', 'webname', '', 'My Website', 2, 1);
INSERT INTO pp_settings VALUES (3, 'Your Website URL (include http://)', 'domain', '', 'http://www.domain.com', 3, 1);
INSERT INTO pp_settings VALUES (4, 'Administrator Email Address', 'adminemail', '', 'admin@domain.com', 4, 1);
INSERT INTO pp_settings VALUES (5, 'Data directory virtual path', 'datadir', 'This is the web / virtual path to the data directory.', 'http://www.domain.com/ppclassifieds/data', 25, 1);
INSERT INTO pp_settings VALUES (6, 'Full path to PhotoPost Classifieds data directory', 'datafull', 'Full path to the image files directory.', '/path/to/your/photopost/data', 6, 1);
INSERT INTO pp_settings VALUES (7, 'URL to your forums main directory (optional)', 'vbulletin', 'This is the virtual path to your forum installation.', 'http://www.domain.com/forum', 1, 14);
INSERT INTO pp_settings VALUES (8, 'Full path to Header include file', 'header', 'To include an HTML file as the header, enter the full path.', '/path/to/php/header.htm', 8, 1);

[Michael P]

Changing your config-inc.php isn't going to make a new database appear; someone would have to run the installation program to get a new set of tables to appear.

Is it possible you ran the install more than once? It looks like a basic installation with no options set and it seems more likely the result of an install run that you didn't take to completion.

If someone did go to the effort to do all that, why did they stop there and would be be gained by installing another database?

[creativepart]

I have an sql dump of the entire database from the day before, and there are not any tables prefixed with pp_.

There aren't any install folders in the website.

So, how could this happen?

Why would someone do this? The same basic time frame that this happened I got an email from someone in Zambia complaining that I had an Africa wide IP address ban on my forum. I traced his email and he worked at a website development company. I know it could just be a coincidence but it's a pretty strong one.

[blankoboy]

creativepart, did you ever find out the cause for this problem you had? Very interested to know. Thanks.

[creativepart]

I did find that install.php was still on the server. When I went to look for it I expected it to be in an Install directory so I reported that it was deleted. Then later I found intall.php in the main directory to my surprise. I have to assume, that someone ran that file. Because, as Michael said, it looked exactly like a basic install run off of an unconfigured install.php.

So, I ended up thinking it was all due to my inattention to removing that file.