T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/domains/soundstudiopro.com/public_html/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/domains/soundstudiopro.com/public_html/HTACCESS_FIXED_AND_MONITORED.md
# ✅ .HTACCESS FIXED AND MONITORING ACTIVE

**Date:** December 12, 2025  
**Status:** HOMEPAGE ACCESSIBLE - MONITORING ACTIVE

---

## ✅ FIXES APPLIED

### 1. Fixed Root .htaccess
**File:** `.htaccess`  
**Status:** ✅ Clean and functional

**What Was Fixed:**
- Simplified rewrite rules for better compatibility
- Ensured `index.php` is properly accessible
- Maintained security (attacker IP blocked, 445367 blocked)
- Removed potentially problematic directives

**Current Configuration:**
```apache
# Block attacker IP
RewriteCond %{REMOTE_ADDR} ^198\.204\.236\.234$
RewriteRule ^ - [F,L]

# Block 445367 directory
RewriteCond %{REQUEST_URI} ^/445367
RewriteRule ^ - [F,L]

# Allow auth and API directories
RewriteCond %{REQUEST_URI} ^/auth/.*\.php$
RewriteRule ^ - [L]

RewriteCond %{REQUEST_URI} ^/api/.*\.php$
RewriteRule ^ - [L]

# Standard rewrite rules
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
```

### 2. Homepage Accessibility
**Test Result:** ✅ **200 OK** - Homepage is accessible

**Verification:**
```bash
curl -I https://soundstudiopro.com/
# Returns: HTTP/1.1 200 OK
```

### 3. Created Monitoring System

**Files Created:**
1. `monitor_htaccess.php` - Detects malicious patterns
2. `verify_htaccess_integrity.php` - Checks MD5 hash for modifications
3. `cron/monitor_htaccess.sh` - Cron wrapper script
4. `.htaccess.md5` - Integrity hash file

---

## 🔍 MONITORING SETUP

### What Gets Monitored:
- Root `.htaccess` file
- `index.php` (for code injection)
- `auth/.htaccess`
- `utils/.htaccess`
- `445367/.htaccess`

### What Gets Detected:
- Malicious allow rules (`about.php`, `radio.php`)
- Unexpected file modifications
- Code injection in `index.php`
- Hash mismatches (unauthorized changes)

### Monitoring Methods:

**1. Pattern Detection (`monitor_htaccess.php`):**
- Scans for known malicious patterns
- Checks file modification times
- Logs alerts to `logs/htaccess_alerts.log`

**2. Integrity Checking (`verify_htaccess_integrity.php`):**
- Compares MD5 hash of `.htaccess`
- Detects ANY modification (even if pattern isn't known)
- More sensitive than pattern detection

---

## ⚙️ SETUP CRON JOB

**Option 1: Add to system crontab:**
```bash
crontab -e
# Add this line:
*/5 * * * * cd /home/gositeme/domains/soundstudiopro.com/public_html && php monitor_htaccess.php >> logs/htaccess_monitor.log 2>&1
```

**Option 2: Use the provided cron file:**
```bash
# The cron command is saved in:
cat cron/htaccess_monitor_cron.txt

# Add it to your crontab:
crontab -e
# Copy the line from cron/htaccess_monitor_cron.txt
```

**Option 3: Use the shell script:**
```bash
# Already created: cron/monitor_htaccess.sh
# Add to crontab:
*/5 * * * * /home/gositeme/domains/soundstudiopro.com/public_html/cron/monitor_htaccess.sh
```

---

## 📊 MONITORING OUTPUT

### Log Files:
- `logs/htaccess_monitor.log` - Regular check logs
- `logs/htaccess_alerts.log` - Alerts when issues detected

### Check Status:
```bash
# View recent checks
tail -20 logs/htaccess_monitor.log

# View alerts
tail -20 logs/htaccess_alerts.log

# Manual integrity check
php verify_htaccess_integrity.php
```

---

## 🚨 WHAT TO DO IF ALERT TRIGGERS

### Step 1: Check the Alert
```bash
tail -20 logs/htaccess_alerts.log
php verify_htaccess_integrity.php
```

### Step 2: Review the File
```bash
# Check what changed
ls -la .htaccess
cat .htaccess

# Check for malicious patterns
grep -i "about\.php\|radio\.php.*Allow" .htaccess
```

### Step 3: Restore if Needed
```bash
# List backups
ls -la .htaccess.clean_backup.*

# Restore from most recent backup
cp .htaccess.clean_backup.* .htaccess

# Or restore from the clean version
cp .htaccess.clean_backup.20251212_215* .htaccess
```

### Step 4: Re-run Cleanup if Malicious
```bash
# If malicious patterns found
php cleanup_all_htaccess.php
```

---

## ✅ CURRENT STATUS

**Homepage:**
- ✅ Accessible (200 OK)
- ✅ No errors
- ✅ Working correctly

**Root .htaccess:**
- ✅ Clean and functional
- ✅ Security maintained
- ✅ Compatible with all Apache versions
- ✅ Backup created (`.htaccess.clean_backup.*`)
- ✅ Integrity hash created (`.htaccess.md5`)

**Monitoring:**
- ✅ Scripts created
- ✅ Integrity hash established
- ⚠️ Cron job needs to be added manually
- ✅ Will detect modifications automatically

---

## 🔧 MANUAL VERIFICATION

**Test Homepage:**
```bash
curl -I https://soundstudiopro.com/
# Should return: HTTP/1.1 200 OK
```

**Check .htaccess:**
```bash
cat .htaccess
# Should be clean, no malicious rules
```

**Verify Integrity:**
```bash
php verify_htaccess_integrity.php
# Should return: ✅ .htaccess integrity verified
```

**Check for Malicious Patterns:**
```bash
grep -i "about\.php\|radio\.php.*Allow" .htaccess
# Should return nothing
```

---

## 📋 QUICK REFERENCE

**Files:**
- `.htaccess` - Main configuration (CLEAN ✅)
- `.htaccess.md5` - Integrity hash
- `.htaccess.clean_backup.*` - Backup copies
- `monitor_htaccess.php` - Pattern detection
- `verify_htaccess_integrity.php` - Hash verification
- `cron/monitor_htaccess.sh` - Cron wrapper

**Commands:**
- `php monitor_htaccess.php` - Check for malicious patterns
- `php verify_htaccess_integrity.php` - Verify file integrity
- `tail -f logs/htaccess_alerts.log` - Watch for alerts

---

**Status:** ✅ **FIXED AND MONITORED**

The homepage is accessible, .htaccess is clean, and monitoring is set up to detect any future modifications.

CasperSecurity Mini