Magento – How to disable access to local.xml and config.xml for external visitors

After lots of effort i solved the issue. It was an issue caused due to .htaccess

Now after making modifications in .htaccess of the root folder. I checked the subfolders where other two of my websites were kept.

1) First thing i did was delete the .htaccess file in that folders.

2) As my images were not loading, i went to the media folder there i found .htaccess file. The content of .htaccess file was as follows

Options All -Indexes
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>

AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

<IfModule mod_rewrite.c>

############################################
## enable rewrites

    Options +FollowSymLinks
    RewriteEngine on

############################################
## never rewrite for existing files
    RewriteCond %{REQUEST_FILENAME} !-f

############################################
## rewrite everything else to index.php

    RewriteRule .* ../get.php [L]
</IfModule>

I am not sure how it was giving Internal Server Error. But i deleted it from media folder of both subfolders as i though it wont be much of a risk. This started loading my images.

As i am not an expert on .htaccess i am not sure what security threat it will cause on the website.

It would be great if anyone can advice me on this

First, the obvious: updating/patching Magento will only prevent future attacks but does not make an already compromised installation secure.

Copying the files to your local machine is not dangerous as long as you just do it to analyze the files and don't set up a local web server. Back up the files on the server itself is an option, but since the server is still compromised, be aware that the files might still get messed with. Also, it is likely that there are malicious scripts hidden in your "necessary files", for example in your theme.

What should you do with the hacked installation?

1. Take it offline. That is, not just put the store into "maintenance mode", but disable the virtual host or block all access.
2. Find and delete the malicious files. A common pattern is that PHP files are placed on the server that execute arbitrary code if accessed by a certain IP range and get the code passed as URL parameter. It might also be a modified existing file. Also, those tend to recreate themselves (for example, modified core file A creates backdoor file B everytime it is loaded). Searching for base64 and eval in all PHP files on the server is a good start. Don't forget media and var directories, those are popular to hide backdoors because they are usually less monitored. There are also tools that might help you. But in doubt, find a security expert to review the code.
3. Find malicious extensions: A possible attack is to gain access to the Magento admin panel and install a "file manager" extension. Check if any extensions have been installed recently that you don't know. Also check the admin_user database table for additional admin accounts and remove them.
4. Change all passwords (Magento admin, database, ...).
5. Install all security patches for your Magento version (a fully patched Magento 1.7 is as secure as Magento 1.9, so I'd save the hassle of updating for later)
6. Update your extensions and theme, as they are also a potential source of exploits
7. If other applications are running on the same environment (for example Wordpress), check and update them as well
8. Go online again. Or even better: back up your database and the files that you need, wipe the server and set it up from scratch.