zettageek

That solution worked PERFECTLY. Thank you so much for your help. Everyone was so responsive and helpful!

Thanks, SocialCloud! I'll give this a try today and let you know if it works.

Yep, if I put a bunch of gibberish in the .htaccess and upload it, everything in that directory 500s. So basically, I need the correct .htaccess configuration for only allowing images. Anyone? Thanks again, ya'll are great!

@requinix I copied the contents of your .htaccess file into NANO, and saved it as .htaccess. File contents below: <FilesMatch "\.(?!gif|jpe?g|png)$"> Order allow,deny Deny from all </FilesMatch> To test and see if the .htaccess file would keep PHP files from running, I wrote the following PHP script and uploaded it into the uploads directory: <?php echo 'Script works!'; ?> Unfortunately, my PHP script is still running in the browser, even though we've CHmodded and added the .htaccess. Have I missed something? @Christian F. I'm looking at implementing something like that, though it may be difficult. The site is massive, and disorganized. It'll be a bit of a challenge, so I wanted to at least disable PHP in that exploited directory as a first step, then work through cleaning the code up.

@jcbones The CHMOD change has been applied, and the images are loading correctly. Thanks! @Gurus I like the idea of 403ing everything that isn't images, so I'll go ahead and apply your first .htaccess solution. I'll let you know how this turns out... Thanks again for your help, I'll report back shortly.

Thank you, jcbones. I'll give this a try and get back to you shortly.

That was a great video! Thank you for posting.

A few clarifications: This site is built on top of SMARTY. Not just any users can upload images, they need an admin account first. That being said, I think they got into the admin area through SQL injection, and uploaded the shell through the exploited CMS. (I'm locking the CMS up right now.) I tried CHMODs 644 and 666 on the image upload directory. Both broke the images on the site from displaying in the browser.

Greetings All! This is my first post here, so I'd like to extend a big HELLO to everyone! I look forward to learning more about PHP from all the advanced PHP developers who frequent these forums. I've taken over management of a website that was recently compromised through use of a MULCI shell, as well as SQL injection. I've been working to tidy everything up, and have turned my attention to the image upload directory. Users have the ability to upload images to the website. I believe it could be possible that a user uploaded a PHP script (the MULCI shell) into the image uploads directory, and executed it their to compromise my website. I talked with a Linux security analyst who recommended that I CHMOD that directory to not allow execution of PHP files. Problem is, I'm not sure what permissions should be set to achieve such action, and this is a Rackspace Cloud Site, so I do NOT have terminal access. I tried setting some of my own CHMOD permissions, but it broke loading of images in the site. I'm open to any suggestions. Thanks.