We help IT Professionals succeed at work.

How was I hacked? Security experts....

fox_statton
fox_statton asked
on
Medium Priority
183 Views
Last Modified: 2006-11-18
Yesterday I discovered that number of files on my server had been hacked.

A new line of code has been added that opened an IFRAME and tried to download a trojan.

The files were chmodded to 777, so anyone could have written, but on checking i discovered that every file that was 777 suffered this attack.

What puzzles me is that these files were in a folder protected by .htaccess, the folder was 755, and Im the only person in the world that uses these files, so the filenames were linked to from anywhere else, how did the attacker discover the files, can anyone just browse my filesystem remotely?

Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2006
Commented:
When you are on a shared hosting account, any of the other with server access would have been able to modify your 777 files.

-r-

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
On a shared hosting account anyone else on the server can set up a script to browse my directories?
CERTIFIED EXPERT
Top Expert 2006

Commented:
anyone can access 777 files and 777 dirs.

-r-

Author

Commented:
But if they dont know the filename (ie its not linked to from anywhere and is not an obvious name) how can they discover it?

Commented:
all someone has to do is read the directory using PHP or possibly could do it through the command line using the dir command.


If someone is changing your files you should report this to your web host, the problem can only really be fixed by them -  unless its an insecure script

Author

Commented:
They can read the contents of my directory even if its set to 755?
Commented:
755 is execute/read/read I think, so yes anyone can because they are world readable, it depends on the server setup though, my webhost uses CGI with suexec which helps with problems like these
Joseph MelnickSenior Software Developer - Pharmacy Applications

Commented:
Hello all,

755 is read,write,execute  4+2+1 = 7  owner      
         read, execute         4+1      = 5  group  
         read, execute         4+1      = 5  everyone


here is a table of values:

Digit rwx Result
0 --- no access
1 --x execute
2 -w- write
3 -wx write and execute
4 r-- read
5 r-x read and execute
6 rw- read and write
7 rwx read write execute

typical settings
directories 755, scripts 755, data files 666, and configuration files 644

Joseph Melnick

Author

Commented:
So it I dont want people to be able to browse my directiory, but need to be able to execute scripts, what should I set it as?

Joseph MelnickSenior Software Developer - Pharmacy Applications
Commented:
Hello fox_statton,

You need to have a default page in the directory often index.html, index.htm or index.php

The default behaviour of apache is to allow directory browsing and adding an index file will disable this.
If you use a .htaccess file in that directory you can use the DirectoryIndex directive to set your own index file as shown below:

DirectoryIndex myindex.html index.cgi index.php index.html

The file permissions on .htaccess should be 644 to allow reading by everyone and read write to you.

if you want people to execute scripts in your directory they need read access. or 755.
you definately want to ensure that your directories are set to 755 that they can be read and navigated these are often misconfigured with 777 and allows your directory to be world writable NOT good.

 Joseph Melnick (jmelnick)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.