Hi,

I have a site that gets attacked by hackers once every few months, specifically targeting Joomla files. Last week I installed RSfirewall and fixed a bunch of permissions problems.

However, it got hacked again today. Turns out this time instead of replacing various Joomla files like they usually do, they replaced the htaccess file.

Would it be possible for RSFirewall to also make note of changes to and permissions for the htaccess file, even though it's outside Joomla? It would be great if it could take a snapshot of the file and note changes. I probably would've have discovered the source of the problem a bit earlier if this was under its scope.

Installing RSFirewall last week probably saved some of the joomla files, however, as the pattern of this attack was similar to the previous ones and there was as usual a bogus "copyrights.php" file in the root. It would be nice to be able to keep hackers totally out of my root directory.

Hello,

Unfortunately there is no real way of keeping track of changes made on the htaccess file, since this is used to perform all kind of settings.

We currently have on our TO DO list a feature that will take into consideration the htaccess file also.

It would be best to also follow the security points stated on our blog:

http://www.rsjoomla.com/blog/joomla-website-hacked-what-s-next.html

What about changing the file from .htaccess to something else within httpd.conf file? That why it will trick or at least slow down the hackers.


I never tested this but I think its worth a shot.

Regards,
John.

jwhite47 wrote:
That's a good idea, I also wonder how.

By the way, have you tried adding .htaccess to the "Monitor the following files for changes" list?
It might work.

I did set the userrights to 444 for .htaccess, so it is only readable. If you need to change it, you can put the userrights to 644 to change the content and set it back to 444.