Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 163
  • Last Modified:

Upload files in my web server have been erased by hacker

Hi.

I have a web server where my users upload files via POST Method in Php

The upload directory  have file permisions  777, because if not they upload files.

Well, a month ago, a hacker accessed to this directory, and he erased all files with 777 permisions

How do I configure this directory for anyone can erase this files?

Thanks
0
jorgeeurolynx
Asked:
jorgeeurolynx
  • 2
1 Solution
 
btanExec ConsultantCommented:
Do change the password login for the existing user and isolate the server if possible, till a fresh image is reverted with new account. Coming back, 777 is discouraged even if this is shared host. This invites trouble actually.

Pls see good practices for securing PHP. Check out the tips stated in article
#7: Turn Off Remote Code Execution
#11: Install Suhosin Advanced Protection System for PHP
#14 PHP User and Group ID
#15 Limit PHP Access To File System
#18: Restrict File and Directory Access
#19: Write Protect Apache, PHP, and, MySQL Configuration Files
#21 Install Mod_security

Overall, besides the hardening aspects, consider for least privileged principle in web server and below are food for thought

e.g. Run user account in your web server whom is not owning any of the files of the website.

e.g. Have just sufficient access rights for web server process such that it perform baseline tasks like audit logging to write its access.log, error.log, and transact with its authorised database server.

e.g. Create a user group and add a user into it, this user is the overall owner of the whole web content including its directories. Have that main web content folder with permission of 750 and the web content files with permission of 650  - deny others and allow only user and group. Do ensure your web server retain read access to all customised scripts and configuration.

If you have .htaccess as in use of Apache then do consider below

e.g. Lockdown any directory browsing to external (e.g. add "Options -Indexes"  into .htaccess File in web content home page) and even blocking bot from crawling your web content using .htaccess (to best effort) . Can check out more of .htaccess security trick

e.g. Password protect web content directory using .htaccess. But do note it only protects directories and not files. Also once user authenticate login successfully it is back to the users' permission assigned to those content in that directory and its children.
0
 
nociSoftware EngineerCommented:
Then again, if the php engine CAN access files, then a user through php can access those files.
the php app should be writen in such a manner that misuse is not possible.
0
 
btanExec ConsultantCommented:
in fact, do watch out for 2 common attacks that leads to indirect upload attempts. They are Remote File Inclusion (RFI) and Local File Inclusion attacks. Never use arbitrary input data in a literal file include request. Always good to verify with a web scanner against the site to sieve out any gaps as attacks can come in if there are any holes and then upload web shell
https://www.owasp.org/index.php/File_System#Includes_and_Remote_files

for interest there is a php shell detector as well - http://www.emposha.com/security/php-shell-detector-web-shell-detection-tool.html
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now