Folder called ".well-known" Appeared on Server

[MatthewSchenker]

Greetings Everyone,

Just putting this out there to see if anyone else has experienced the same, and what it might mean.

I noticed this morning that a folder called ".well-known" appeared in the public_html folder of one of my ProcessWire installations. Some searching seems to turn this up as potential malware.

Has anyone else experienced this? And how do we prevent it?

Thanks,
Matthew

[cb2004]

I do believe this is to do with Let's Encrypt SSL certificates and I don't think this is anything to worry about. Malware with ProcessWire, pah

[DaveP]

I think @cb2004 is right - see https://serverfault.com/a/795474/129338 (towards the end of that answer).

[MatthewSchenker]

Greetings,

Thanks cb2004 and Dave! When I did a quick search, among the first results that appeared was information about a WordPress malware with ".well-known." Even though I know PW is not susceptible like WP it got me worried!

It is always unnerving when a folder appears in your app installation that you didn't put there!

Matthew

[DaveP]

It's not unknown for nasties to masquerade as legitimate files/folders (Windows has long seen viruses & malware processes pretending to be svchost.exe, for example), but if you have installed a Let's Encrypt cert recently, it's probably part of that installation. 

[cb2004]

15 minutes ago, DaveP said:

It's not unknown for nasties to masquerade as legitimate files/folders (Windows has long seen viruses & malware processes pretending to be svchost.exe, for example), but if you have installed a Let's Encrypt cert recently, it's probably part of that installation. 

Or if not I do believe this is put their in readiness by your hosting company that you may wish to. It may even be enabled without you knowing, try going to the https:// version of your site and see what it says.

[cstevensjr]

1 hour ago, cb2004 said:

I do believe this is to do with Let's Encrypt SSL certificates and I don't think this is anything to worry about. Malware with ProcessWire, pah

@cb2004 is absolutely correct.

[MindFull]

I've seen the .well-known directory with hosting providers that offer cPanel accounts with the AutoSSL feature turned on. Both LetsEncrypt and Comodo cert renewals use the folder to install and replace soon-to-expire SSLs. Depending on your hosting provider's configurations, even self-signed SSLs may get updated.

BTW: For those that chose to use AutoSSL, Processwire's .htaccess config prevents reading of .txt files and access to directories beginning with periods so those would need to be turned off temporarily to allow the cert to be installed. Otherwise, PW will issue a 403 each time AutoSSL attempts to access the directory/file. Then, the SSL will expire and piss everyone off until it's fixed. But that's no fault of Processwire - It's better to keep those things in check then to let hosting plugins silently do whatever they want.

[Mike Rockett]

@MindFull The htaccess file does allow access to the directory:

  # -----------------------------------------------------------------------------------------------
  # 12. Access Restrictions: Keep web users out of dirs that begin with a period,
  # but let services like Lets Encrypt use the webroot authentication method.
  # -----------------------------------------------------------------------------------------------

  RewriteRule "(^|/)\.(?!well-known)" - [F]

[MindFull]

#################################################################################################
# START PROCESSWIRE HTACCESS DIRECTIVES
# @version 2.3
#################################################################################################

...

  # -----------------------------------------------------------------------------------------------
  # Access Restrictions: Keep web users out of dirs that begin with a period
  # -----------------------------------------------------------------------------------------------

  RewriteRule "(^|/)\." - [F]

Eeek! - My PW 2.3 is showing lol! I have go to remove that from my Notepad++ cache