How was I hacked? Security experts....

Yesterday I discovered that number of files on my server had been hacked.

A new line of code has been added that opened an IFRAME and tried to download a trojan.

The files were chmodded to 777, so anyone could have written, but on checking i discovered that every file that was 777 suffered this attack.

What puzzles me is that these files were in a folder protected by .htaccess, the folder was 755, and Im the only person in the world that uses these files, so the filenames were linked to from anywhere else, how did the attacker discover the files, can anyone just browse my filesystem remotely?

fox_stattonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RoonaanCommented:
When you are on a shared hosting account, any of the other with server access would have been able to modify your 777 files.

-r-
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fox_stattonAuthor Commented:
On a shared hosting account anyone else on the server can set up a script to browse my directories?
0
RoonaanCommented:
anyone can access 777 files and 777 dirs.

-r-
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

fox_stattonAuthor Commented:
But if they dont know the filename (ie its not linked to from anywhere and is not an obvious name) how can they discover it?
0
JB04Commented:
all someone has to do is read the directory using PHP or possibly could do it through the command line using the dir command.


If someone is changing your files you should report this to your web host, the problem can only really be fixed by them -  unless its an insecure script
0
fox_stattonAuthor Commented:
They can read the contents of my directory even if its set to 755?
0
JB04Commented:
755 is execute/read/read I think, so yes anyone can because they are world readable, it depends on the server setup though, my webhost uses CGI with suexec which helps with problems like these
0
Joseph MelnickSenior Software Developer - Pharmacy ApplicationsCommented:
Hello all,

755 is read,write,execute  4+2+1 = 7  owner      
         read, execute         4+1      = 5  group  
         read, execute         4+1      = 5  everyone


here is a table of values:

Digit rwx Result
0 --- no access
1 --x execute
2 -w- write
3 -wx write and execute
4 r-- read
5 r-x read and execute
6 rw- read and write
7 rwx read write execute

typical settings
directories 755, scripts 755, data files 666, and configuration files 644

Joseph Melnick
0
fox_stattonAuthor Commented:
So it I dont want people to be able to browse my directiory, but need to be able to execute scripts, what should I set it as?

0
Joseph MelnickSenior Software Developer - Pharmacy ApplicationsCommented:
Hello fox_statton,

You need to have a default page in the directory often index.html, index.htm or index.php

The default behaviour of apache is to allow directory browsing and adding an index file will disable this.
If you use a .htaccess file in that directory you can use the DirectoryIndex directive to set your own index file as shown below:

DirectoryIndex myindex.html index.cgi index.php index.html

The file permissions on .htaccess should be 644 to allow reading by everyone and read write to you.

if you want people to execute scripts in your directory they need read access. or 755.
you definately want to ensure that your directories are set to 755 that they can be read and navigated these are often misconfigured with 777 and allows your directory to be world writable NOT good.

 Joseph Melnick (jmelnick)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.