Solved

website file permissions

Posted on 2014-07-28
4
83 Views
Last Modified: 2016-05-23
Hi

I'm running a LAMP server with Centos 5, CPanel, SuPHP, Mod_Security, CSF etc. The website is being hacked with eval(Base64_decode(... being inserted into some php script. Also other .php script pages are being created in some of the website directories. I understand from research that this is a common hack. I am looking for techniques to improve protection of my site to prevent this.

I assume that there must be a problem with my file owner,group and permissions settings for an external user to be able to modify the code on pages and to create script pages.

My question is about what those settings should be. Currently I have :-

Drectories - owner and group are set to the same. This is the user name of the ftp user that I use to upload changes to the site. The permissions are set to 755.

Files - owner and group are set to the same. This is the user name of the ftp user that I use to upload changes to the site. The permissions are set to 644.

Apache- httpd.conf is set to use nobody as both user and group.

SuPHP - the UserGroup directive in httpd.conf is set to the same user/group as my files and directories.

I have googled about this topic and so I understand with Apache set to nobody, website users should be using the 'other' permissions on files and directories. This would mean Read access only. However SuPHP uses the permissions of the file owner/group when executing php pages. This means read/write permissions. This is meant to be safer but does not seem so as it allows php pages to be modified.

Clearly I have a gap in my understanding and would welcome some advice to stop the hack.

BTW : I have looked into preventing base64_decode in php.ini but it is used legitimately on the site at the moment. I have also looked into using Suhosin to disable eval() but again that is legitimately use in some places too.

Any help and advice would be very appreciated.

Phil
0
Comment
Question by:philevans114
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 166 total points
ID: 40226089
You should make your users change their passwords because it is possible the attacker has a legitimate login that they are using.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 40228491
normally apache should not be able to write web content.
so permission must be o-wx


apache on centos5 by default uses credential "apache:apache"
primitive suggestion: remove your overcustomized apache and install one shipped with system....
0
 
LVL 2

Accepted Solution

by:
rr100 earned 168 total points
ID: 40260854
This is a problem with one of your website coded pages (php files). You might be vulnerable to some type of hacking.
However SuPHP uses the permissions of the file owner/group when executing php pages. This means read/write permissions.
If your file is vulnerable and the hacker gets access to the file, he will be able to write to any other file within that user's account, because of suphp making it possible. When running suphp, all files should be 644, and all folders should be 755. The point of suphp in cPanel is so that one user won't be able to access other user's file, they are isolated from each other.

I've dealt with cleaning up many hacked servers with this same issue, and same cPanel setup. Make sure you get your programmer to look through the code, 99% this is your code's fault and not file permission as you are thinking.

Let me know how it goes.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
Introduction Knockoutjs (Knockout) is a JavaScript framework (Model View ViewModel or MVVM framework).   The main ideology behind Knockout is to control from JavaScript how a page looks whilst creating an engaging user experience in the least …
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question