Discuss Solution to 777 directory hack problem? in the Security and Cryptography forum on Dev Shed. Solution to 777 directory hack problem? Security and Cryptography forum discussing issues related to coding, server applications, network protection, data protection, firewalls, ciphers and the like.
Receive the tools necessary to be the rock star of your field. Our 12-month program teaches you the evolving world of multi-channel marketing as well as the complex issues and opportunities found in the industry.
ASP Free and Iron Speed Designer are giving away $5,500+ in FREE licenses. Iron Speed's RAD CASE toolset can save up to 80% of your coding time. One free license per week, one perpetual license per month! Download and Activate to enter!
Web development can be a daunting task, even for specialists. There is a lot of information to absorb and a lot of technologies to learn in order to manage a superior website. When trying to learn the ropes, developers need a reliable source to introduce new ideas that can be easily implemented. When working on large projects, even web veterans may run into a technology or an aspect of a technology that they are unfamiliar with.
Posts: 16
Time spent in forums: 3 h 7 m 46 sec
Reputation Power: 0
Solution to 777 directory hack problem?
I have been hacked twice now by somebody (or some script) that uploads an .htaccess file and a randomly named PHP script to any directories CHMODed 777 on my site. The .htaccess redirects any 404's to the PHP script that is uploaded and the PHP script redirects the user to a third party website. This has gotten me banned from Google because somebody the search engines grab a bunch of URLs pointing to the directory with random porn and warez phrases after the directory URL.
I can't CHMOD the affected directories (image directories) because of the nature of our website (images are uploaded on a constant basis), but I started thinking:
What if I upload an .htaccess file that is CHMOD'd 644 and prevents PHP scripts from running in that directory?
Would this work?
What would I need to put in the .htaccess to prevent anything with a .php extension from running?
Please overlook any ignorance that may be present (and probably is present) in this question -- I have very little knowledge of web security. Any help much appreciated... thanks...
Posts: 1,286
Time spent in forums: 3 Weeks 3 Days 6 h 10 m 16 sec
Reputation Power: 172
Well, I think you need to fix your security problems, rather than looking for a band aid, because hackers are generally creative, and will probably find ways around what you're trying to do once they're in, but thats generally....
Find out how you were cracked, fix the hole,try to do an audit on your applications, and hope you don't get penetrated again.
Having said that uploading a .htaccess which can only be written to as root may work, just as long as Apache isn't running as root *cringes at the thought*. But it all depends on how you were penetrated, if its simply a dodgy upload script, why not fix that and make life easier for yourself?
Posts: 10,101
Time spent in forums: 3 Months 3 Weeks 6 h 8 m 34 sec
Reputation Power: 0
Kuza55's right - fix the problem first, rather than bandaiding it. Personally, I'd move the uploads folder outside the document root, so it's NOT accessible via the web. Next, I'd run a cron script to move any IMAGE files alone ( check the type, not just the extension ) into the web accessible directory. Next it should be possible to turn off php execution for a certain dir ( but you'll probably need to do it in your httpd.conf file ), I've never done it, but it shouldn't be too hard to google up a solution.
Posts: 1,286
Time spent in forums: 3 Weeks 3 Days 6 h 10 m 16 sec
Reputation Power: 172
Quote:
Originally Posted by SimonGreenhill
Kuza55's right - fix the problem first, rather than bandaiding it. Personally, I'd move the uploads folder outside the document root, so it's NOT accessible via the web. Next, I'd run a cron script to move any IMAGE files alone ( check the type, not just the extension ) into the web accessible directory. Next it should be possible to turn off php execution for a certain dir ( but you'll probably need to do it in your httpd.conf file ), I've never done it, but it shouldn't be too hard to google up a solution.
--Simon
I think the easiest way to stop script execution would be to simply overwrite the type for PHP files in .htacces (assuming of course that AllowOverride is on in httpd.conf, if you don't then either turn it on, which you can always just do for a single directory, or simply add what you would put into the .htaccess file into <directory> tags, so you can stop execution in certian dirs), so having a .htacces file like this:
Code:
AddType text/plain .php
Will effectively stop code execution, you could even make it all prettyful and do:
Code:
AddType application/x-httpd-php-source .php
.....anyways....
I would also do an examination of your server to make sure no malware has been installed on there, just in case....
And Simon, why would you upload outside the web root and then do checks with a cronjob? Wouldn't it be just as easy to do checks when the images are being uploaded? And you would then not have any malicious files even touching the file system outside a temporary directory.....which should be cleaned anyway....
I've also got a quick question, is there any way to make PHP reject file uploads except from certain scripts (I know mod_security simply disables all of them, but is there a way to dissalow them, but to allow files to be sent to certain pages? Pages which would delete the items in question from the temp folder if they didn't pass the security checks....)?
Posts: 16
Time spent in forums: 3 h 7 m 46 sec
Reputation Power: 0
Quote:
Originally Posted by rehash
how they managed to upload the file? you are running some public hosting?
Yeah, it's public hosting. AllowOverride is on, so I can change the PHP filetype to text, thanks for the code to do it, couldn't seem to Google it last night.
I don't think they did this through a file upload script, the upload script for these images is in an Apache auth protected area, I think it was done as a direct result of the directory being CHMOD'd 777 -- there were two other directories on my server that were CHMOD'd 777 (deeply nested directories inside two statistics scripts I had installed) and both of these other directories were hit as well.
How do they upload to these directories? Through a browser?!?!??! I just don't understand the mechanism without them actually FTP'ing in...
I am going to move the images outside of the web accessible area and move them with a CRON job, but with my limited abilities it may take a while to figure it out and get it working so I'll utilize the bandaid for now.
Posts: 172
Time spent in forums: 1 Day 20 h 5 m 11 sec
Warnings Level: 10
Number of bans: 1
Reputation Power: 0
Quote:
Originally Posted by sexydawg
I have been hacked twice now by somebody (or some script) that uploads an .htaccess file and a randomly named PHP script to any directories CHMODed 777 on my site. The .htaccess redirects any 404's to the PHP script that is uploaded and the PHP script redirects the user to a third party website. This has gotten me banned from Google because somebody the search engines grab a bunch of URLs pointing to the directory with random porn and warez phrases after the directory URL.
I can't CHMOD the affected directories (image directories) because of the nature of our website (images are uploaded on a constant basis), but I started thinking:
Please overlook any ignorance that may be present (and probably is present) in this question -- I have very little knowledge of web security. Any help much appreciated... thanks...
- B
I highly suspect you have a phpnuke/gallery or one of those apps with as many security holes as swiss cheese.
- Get an uptodate version
- find a similar app but with fewer security holes
Can you show us the logs of the actual-hacks-in progress?
Posts: 16
Time spent in forums: 3 h 7 m 46 sec
Reputation Power: 0
I think I found it (if not something like it)... the attack had already occurred in those image directories at this point but this is the first mention of the GStats directory and the support directory in relation to weird stuff. All of these log entries were in one straight block of lines: (EDIT: All of these directories mentioned in the following block of requests were the directories that were affected)
But all these are just requests, right? I don't see anything that shows an upload of a file -- what would I be looking for?
Here some of the hits on the non-existent URLs that were forwarding to the russian search engine via the .htaccess and script (to further clarify what was happening):
Posts: 16
Time spent in forums: 3 h 7 m 46 sec
Reputation Power: 0
BTW, the IP on those suspicious requests resolves to Lomag.net which is a service that provides web hosting and *shell accounts* -- am I safe to assume that this is the source of my problem? Also that IP performed the same requests on other days also, so I am assuming it is an automated script of some type.
Also, I found these same type of requests by the same IP a few days before any of this activity started -- the first requests by this IP were on August 29th, Google visited the non-existent URLs on September 6th and then all hell broke loose on the 8th.
Posts: 2
Time spent in forums: 4 m 42 sec
Reputation Power: 0
Serch Engine Spiders
Quote:
Originally Posted by Eric M
These hacks are done by an automated script that scans the server for any directories with write permissions.
While this will not stop you from being hacked it will stop any automated scans from finding your directory.
Chmod your public_html folder to 711
Hi,
This is a good solution to prevent them to find the directories. Thanks a lot!
My website is hacked several times and they have uploaded fake PayPal pages and ... to cheat people. It can be really dangerous for webmasters.
My question is can Chmoding the public_html folder to 711 prevent the search engines spiders from crawling the website?
Posts: 2
Time spent in forums: 4 m 42 sec
Reputation Power: 0
Quote:
Originally Posted by sexydawg
I have been hacked twice now by somebody (or some script) that uploads an .htaccess file and a randomly named PHP script to any directories CHMODed 777 on my site. The .htaccess redirects any 404's to the PHP script that is uploaded and the PHP script redirects the user to a third party website. This has gotten me banned from Google because somebody the search engines grab a bunch of URLs pointing to the directory with random porn and warez phrases after the directory URL.
I can't CHMOD the affected directories (image directories) because of the nature of our website (images are uploaded on a constant basis), but I started thinking:
What if I upload an .htaccess file that is CHMOD'd 644 and prevents PHP scripts from running in that directory?
Would this work?
What would I need to put in the .htaccess to prevent anything with a .php extension from running?
Please overlook any ignorance that may be present (and probably is present) in this question -- I have very little knowledge of web security. Any help much appreciated... thanks...
- B
This can not cause your website to get banned by Google. If it was like that, the tinyurl.com was banned long time ago.
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
