Solved

Upload files in my web server have been erased by hacker

Posted on 2014-11-27
3
151 Views
Last Modified: 2015-01-02
Hi.

I have a web server where my users upload files via POST Method in Php

The upload directory  have file permisions  777, because if not they upload files.

Well, a month ago, a hacker accessed to this directory, and he erased all files with 777 permisions

How do I configure this directory for anyone can erase this files?

Thanks
0
Comment
Question by:jorgeeurolynx
  • 2
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40470349
Do change the password login for the existing user and isolate the server if possible, till a fresh image is reverted with new account. Coming back, 777 is discouraged even if this is shared host. This invites trouble actually.

Pls see good practices for securing PHP. Check out the tips stated in article
#7: Turn Off Remote Code Execution
#11: Install Suhosin Advanced Protection System for PHP
#14 PHP User and Group ID
#15 Limit PHP Access To File System
#18: Restrict File and Directory Access
#19: Write Protect Apache, PHP, and, MySQL Configuration Files
#21 Install Mod_security

Overall, besides the hardening aspects, consider for least privileged principle in web server and below are food for thought

e.g. Run user account in your web server whom is not owning any of the files of the website.

e.g. Have just sufficient access rights for web server process such that it perform baseline tasks like audit logging to write its access.log, error.log, and transact with its authorised database server.

e.g. Create a user group and add a user into it, this user is the overall owner of the whole web content including its directories. Have that main web content folder with permission of 750 and the web content files with permission of 650  - deny others and allow only user and group. Do ensure your web server retain read access to all customised scripts and configuration.

If you have .htaccess as in use of Apache then do consider below

e.g. Lockdown any directory browsing to external (e.g. add "Options -Indexes"  into .htaccess File in web content home page) and even blocking bot from crawling your web content using .htaccess (to best effort) . Can check out more of .htaccess security trick

e.g. Password protect web content directory using .htaccess. But do note it only protects directories and not files. Also once user authenticate login successfully it is back to the users' permission assigned to those content in that directory and its children.
0
 
LVL 39

Expert Comment

by:noci
ID: 40470605
Then again, if the php engine CAN access files, then a user through php can access those files.
the php app should be writen in such a manner that misuse is not possible.
0
 
LVL 61

Expert Comment

by:btan
ID: 40471038
in fact, do watch out for 2 common attacks that leads to indirect upload attempts. They are Remote File Inclusion (RFI) and Local File Inclusion attacks. Never use arbitrary input data in a literal file include request. Always good to verify with a web scanner against the site to sieve out any gaps as attacks can come in if there are any holes and then upload web shell
https://www.owasp.org/index.php/File_System#Includes_and_Remote_files

for interest there is a php shell detector as well - http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now