problem in .htaccess setting

I'm operating a media content website and customers can upload freely any media (.jpg, .wmv etc) files for sharing. However, recently, I was hacked by hacker who loaded a .php file into the media content directory. Is it any measure I can prevent it to do so. I think I need to set the .htaccess file, can anyone suggest method of solution?

 

Your upload script should be checking the extension and mime type of the uploaded file.

Assuming PHP, you can use:

$mime_type = $_FILES['upload']['type'];
$extension = end(explode('.', $_FILES['upload']['name']));

PHP:

Then you can do some simple validation. Check your server config to see what file extensions files need to be parsed as PHP and prevent them from being uploaded.

 

Can we set in the .htaccess file to prevent execution of files in the \images\ directory?

 

<Directory "images">
php_admin_flag engine off
AddType text/plain .php .php3 .phtm .phtml
</Directory>

Though I don't see why you don't want to prevent them from being uploaded in the first place.

 

Exactly,
You can keep execution of the files from taking place, but preventing the uload to begin with is essential.

 

after above is done
next step is to find out who and how the hackers did their job. find the precise application that allowed penetration of your server and secure it. to do so you may have to manually screen your access_log files. use grep / zgrep to find the first occurrence of that .php file, then manually check the access log lines before that first occurrance, typically it may start with a Google search referrer entry, etc. secure that ONE application that allowed upload by fixing the upload as above - then check for all different IP's used by hackers and block all either using .htaccess or iptables for additional security.

 

find yourself a copy of c99 shell and test your server against it. upload the shell as shell.php.jpg or shell.php.gif or shell.php.png to ensure that the settings are working properly and the shell is not executing.