Upload files in my web server have been erased by hacker

Hi.

I have a web server where my users upload files via POST Method in Php

The upload directory  have file permisions  777, because if not they upload files.

Well, a month ago, a hacker accessed to this directory, and he erased all files with 777 permisions

How do I configure this directory for anyone can erase this files?

Thanks
jorgeeurolynxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Do change the password login for the existing user and isolate the server if possible, till a fresh image is reverted with new account. Coming back, 777 is discouraged even if this is shared host. This invites trouble actually.

Pls see good practices for securing PHP. Check out the tips stated in article
#7: Turn Off Remote Code Execution
#11: Install Suhosin Advanced Protection System for PHP
#14 PHP User and Group ID
#15 Limit PHP Access To File System
#18: Restrict File and Directory Access
#19: Write Protect Apache, PHP, and, MySQL Configuration Files
#21 Install Mod_security

Overall, besides the hardening aspects, consider for least privileged principle in web server and below are food for thought

e.g. Run user account in your web server whom is not owning any of the files of the website.

e.g. Have just sufficient access rights for web server process such that it perform baseline tasks like audit logging to write its access.log, error.log, and transact with its authorised database server.

e.g. Create a user group and add a user into it, this user is the overall owner of the whole web content including its directories. Have that main web content folder with permission of 750 and the web content files with permission of 650  - deny others and allow only user and group. Do ensure your web server retain read access to all customised scripts and configuration.

If you have .htaccess as in use of Apache then do consider below

e.g. Lockdown any directory browsing to external (e.g. add "Options -Indexes"  into .htaccess File in web content home page) and even blocking bot from crawling your web content using .htaccess (to best effort) . Can check out more of .htaccess security trick

e.g. Password protect web content directory using .htaccess. But do note it only protects directories and not files. Also once user authenticate login successfully it is back to the users' permission assigned to those content in that directory and its children.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nociSoftware EngineerCommented:
Then again, if the php engine CAN access files, then a user through php can access those files.
the php app should be writen in such a manner that misuse is not possible.
0
btanExec ConsultantCommented:
in fact, do watch out for 2 common attacks that leads to indirect upload attempts. They are Remote File Inclusion (RFI) and Local File Inclusion attacks. Never use arbitrary input data in a literal file include request. Always good to verify with a web scanner against the site to sieve out any gaps as attacks can come in if there are any holes and then upload web shell
https://www.owasp.org/index.php/File_System#Includes_and_Remote_files

for interest there is a php shell detector as well - http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.