Your
.htaccess file(s) should be owned by root, group apache and mode should be 0640 for starters (the mode can be 0644 but probably better 0640). Generally, the files and directories in your
htdocs directory ought to be owned by root, group apache (or root) and mode set as restricted as necessary to be usable (but no public read, write or execute) -- this depends upon the application, but generally directories can be mode 0750 and files mode 0640 unless the files need to be executable in which case you want to set them to 750 (start with the most restrictive and change mode(s) if things don't work right).
Check your log (probably
/var/log/messages) to see if somebody managed to guess a password and get into your system. You're looking, mostly, for log entries that contain the pattern
sshd or
password.
If somebody did guess a password, you've got some work to do -- first, change the root password to a pattern containing letters, punctuation and digits at least eight characters long. Look at
/etc/shadow (this is where the passwords are actually stored); it should look pretty much like this
Code:
root:$1$Kmh1qikS$e/d9aya89zO2F0EfXkglq/:14268:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
user accounts start here
All that gobbledygook on the first line is the encrypted root password;
the only account (other than user accounts) that should have a password in this file is root -- all the rest should be an asterisk!
Consider installing DenyHosts (
http://denyhosts.sourceforge.net), which dynamically identifies bad actors and denies them access to your system with entries in
/etc/hosts.deny; it also shares bad actors world-wide with other DenyHosts users (so you get a pretty good list of hosts to deny access to your system).
Consider installing IPTABLES country ban entries; ban at least China, Korea and possibly Russia, Bulgaria, Japan, India and Pakistan (where most of this crap comes from). You can get appropriate entries for doing this at
http://www.countryipblocks.net.
Nobody (no user) needs read-write access to your
htdocs tree -- including "you." Review the owner, group and mode settings and change them if needed. Change all your passwords (letters, punctuation and digits) and force your users to do the same (see the
-e option for the
passwd utility). If you have dead accounts, use the
-i or
-d option for the
passwd utility to disable them.
Hope this helps some.