#1
  1. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,027
    Rep Power
    377

    Need details please?


    OK, back in the days I created some portfolio sites that I knew needed updating but with me working, I didnt get a chance to update those scripts. So I find that i have been hacked by someone "ecuadorian hackers" they are called.

    What they do is leave a index.html file on your webserver so that it is served up by default, they thankfully (!) i think dont do any damage.

    Now I have deleted all the files from my server, changed the username so before it was /home/username1/ now from my web panel I have changed where my domain is pointing to i.e. /home/username2/ but even now somehow they are managing to create an "empty" directory structure? Whilst deleting files, I also noticed they had put some jpgs which werent jps at all but encoded PHP but they are all removed.

    Q: so how are they maenaging to create directory when I have changed the username, and deleted all files potentially closing the secuirty hole?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    So all you've done is remove some files and change the document root, and now you hope the "hackers" won't come back? No offense, but that sounds rather naive.

    Other people creating arbitrary files and directories on your server is not normal. It means they've gained system privileges. How deep they got into your system is something you should find out, but right now, it's wise to assume the worst: They have full access to your system.

    This means it's time to take the server offline, investigate the problem and fix the security of your system:

    • Change all passwords of all user accounts, in particular the root account.
    • Are you still using FTP or password-based authentication? Now is the time to switch to SSH with public key authentication.
    • Are there any unusual services or files?
    • Fix the file permissions. Currently, it sounds like anybody (or at least the webserver) can write into your document root. That's very wrong.
    • Go through your whole application and make sure that it's definitely secure against SQL injection, remote file inclusion and similar attacks.

    The point is: You need to take this seriously. It's not enough to clean up the visible mess. You need to actually fix your system to make sure the attackers won't have access to it in the future.

    Comments on this post

    • paulh1983 agrees : cant give rep :( Thank you (as always) for helping..
    • SimonJM agrees : Rep by proxy :)
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,027
    Rep Power
    377
    yes i am trying to take it seriously thats why i posted here.

    Thanks for your suggestions,

    when you say:
    Fix the file permissions. Currently, it sounds like anybody (or at least the webserver) can write into your document root. That's very wrong.
    what permissions should I be setting my document root to?
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by paulh1983
    what permissions should I be setting my document root to?
    "read + execute" for the webserver, no permissions for everybody else. Set this recursively so that all subdirectories and files are affected as well.

    Some directories may require additional permissions (like "write" for upload folders). But the default should be "read + execute".
    Last edited by Jacques1; December 4th, 2013 at 09:28 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2013
    Posts
    5
    Rep Power
    0
    Seems like an old post but looks like this may help for future readers.

    You may also want to check for backdoors and rootkits, which may have been installed. A couple of good - though not absolute - root kit identifier are rkhunter and chkrootkit
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,027
    Rep Power
    377
    Thanks sam

    Originally Posted by Jacques1
    "read + execute" for the webserver, no permissions for everybody else. Set this recursively so that all subdirectories and files are affected as well.

    Some directories may require additional permissions (like "write" for upload folders). But the default should be "read + execute".
    q: how do i set read + execute for webserver? (744 ?) right click folder and choose read for (owner, grup & public) but owner only gets execute. if so then how do i ftp files? as i get permission denied and i keep having to relax the permission..
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    As I already mentioned above, you shouldn't be using FTP at all. This protocol is completely unprotected against people sniffing or even manipulating the traffic.

    You need a modern secure protocol like SCP (which requires SSH access). If possible, use public-key authentication instead of passwords.



    Originally Posted by paulh1983
    q: how do i set read + execute for webserver? (744 ?)
    No, that would be unrestricted access for the webserver (read + write + execute) and read access for everybody.

    read + execute is a 5. The rights for the group and the others should be chosen with care. Is it a public file? Then 4 is fine. Otherwise, restrict access to the users who actually need it.



    Originally Posted by paulh1983
    as i get permission denied and i keep having to relax the permission..
    If the permissions are 500 or 544, nobody can write into the file except root. That's the whole point.

    Comments on this post

    • paulh1983 agrees : damn, mods have something against you, not able to give rep points. Also saw this thread v. late..
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo