>>I'm working on determining the entrance point for a recent web site
>>defacement.  I'm suspecting that a mysql username/password was >>obtained 
>>from a script.

>1) don't name files *.inc, name them *.inc.php.  That way, even if it >is 
>requested by the client, the browser will show nothing because it >will be 
>parsed by PHP, and no output sent to the client.

Don't rely on .php files not being readable. I have seen several cases on 
various servers where php scripts get sent out unparsed when apache has 
decided to get temperamental (sorry I can't tell you exactly why but apache 
restart has usually sorted it) or where output compression is in the script 
but then gets disabled on the server for some reason. If you were being 
targeted, someone could run a bot to watch out for this happening and report 
results.

Your best bet imo is to have any sensitive info in files outside the web 
root (as long as you are the only person with access to that account).

Next best is probably the .htaccess technique (if you use .inc.php extension 
you should do this as well but it would have to be limited to a specific 
directory of course).

You could also restrict access within a php file containing the password 
based on ip - ie. only allow access to localhost - and/or the full url(s) of 
the calling script(s). This technique could also be used to give your other 
scripts an additional layer of security.

Another idea is possibly to do something like su to a special user and have 
files readable only by that user. Haven't tried this and it might be 
impossible or false security but maybe others have thoughts about it.

Bear in mind that I am not a security expert by any means.




_________________________________________________________________
Help STOP SPAM: Try the new MSN 8 and get 2 months FREE* 
http://join.msn.com/?page=features/junkmail