MatthewSchenker

Folder called ".well-known" Appeared on Server

Recommended Posts

Greetings Everyone,

Just putting this out there to see if anyone else has experienced the same, and what it might mean.

I noticed this morning that a folder called ".well-known" appeared in the public_html folder of one of my ProcessWire installations. Some searching seems to turn this up as potential malware.

Has anyone else experienced this? And how do we prevent it?

Thanks,
Matthew

Share this post


Link to post
Share on other sites

I do believe this is to do with Let's Encrypt SSL certificates and I don't think this is anything to worry about. Malware with ProcessWire, pah :)

  • Like 5

Share this post


Link to post
Share on other sites

Greetings,

Thanks cb2004 and Dave! When I did a quick search, among the first results that appeared was information about a WordPress malware with ".well-known." Even though I know PW is not susceptible like WP it got me worried!

It is always unnerving when a folder appears in your app installation that you didn't put there!

Matthew

Share this post


Link to post
Share on other sites

It's not unknown for nasties to masquerade as legitimate files/folders (Windows has long seen viruses & malware processes pretending to be svchost.exe, for example), but if you have installed a Let's Encrypt cert recently, it's probably part of that installation. ^-^

Share this post


Link to post
Share on other sites
15 minutes ago, DaveP said:

It's not unknown for nasties to masquerade as legitimate files/folders (Windows has long seen viruses & malware processes pretending to be svchost.exe, for example), but if you have installed a Let's Encrypt cert recently, it's probably part of that installation. ^-^

Or if not I do believe this is put their in readiness by your hosting company that you may wish to. It may even be enabled without you knowing, try going to the https:// version of your site and see what it says.

  • Like 3

Share this post


Link to post
Share on other sites
1 hour ago, cb2004 said:

I do believe this is to do with Let's Encrypt SSL certificates and I don't think this is anything to worry about. Malware with ProcessWire, pah :)

@cb2004 is absolutely correct.

  • Like 1

Share this post


Link to post
Share on other sites

I've seen the .well-known directory with hosting providers that offer cPanel accounts with the AutoSSL feature turned on. Both LetsEncrypt and Comodo cert renewals use the folder to install and replace soon-to-expire SSLs. Depending on your hosting provider's configurations, even self-signed SSLs may get updated.

BTW: For those that chose to use AutoSSL, Processwire's .htaccess config prevents reading of .txt files and access to directories beginning with periods so those would need to be turned off temporarily to allow the cert to be installed. Otherwise, PW will issue a 403 each time AutoSSL attempts to access the directory/file. Then, the SSL will expire and piss everyone off until it's fixed. :o But that's no fault of Processwire - It's better to keep those things in check then to let hosting plugins silently do whatever they want.

Share this post


Link to post
Share on other sites

@MindFull The htaccess file does allow access to the directory:

  # -----------------------------------------------------------------------------------------------
  # 12. Access Restrictions: Keep web users out of dirs that begin with a period,
  # but let services like Lets Encrypt use the webroot authentication method.
  # -----------------------------------------------------------------------------------------------

  RewriteRule "(^|/)\.(?!well-known)" - [F]

:)

  • Like 2
  • Haha 1

Share this post


Link to post
Share on other sites
#################################################################################################
# START PROCESSWIRE HTACCESS DIRECTIVES
# @version 2.3
#################################################################################################

...

  # -----------------------------------------------------------------------------------------------
  # Access Restrictions: Keep web users out of dirs that begin with a period
  # -----------------------------------------------------------------------------------------------

  RewriteRule "(^|/)\." - [F]

Eeek! - My PW 2.3 is showing lol! I have go to remove that from my Notepad++ cache

 

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.