Jump to content



Photo
- - - - -

Hacked 777 permission folders and files


This topic has been archived. This means that you cannot reply to this topic.
28 replies to this topic

#1   trap

trap
  • Members
  • 54 posts

Posted 12 January 2006 - 05:20

Dear all

I have several oscommerce sites and they have been hacked by a script exploiting the 777 permissions on files and folders eg images folder

What happens is the hackers script places 3 files, You can tell by the timestamp and the obvious that .php files are not usually in the images folder. They are usually something like. date.php, time.php and always a .htaccess. It also searches through 777 files and injects some code so that when your site loads it calls the other files it has placed on your server. It does this in EVERY world writeable directory and file it can find in that account. You may not even realise the site has been hacked unless you physically looked at the folders with 777 permission. eg images , backup etc.

My question is this.... will oscommerce work correctly enabling photos to be uploaded and backups performed EP to work, etc if the 777 permissions are changed to 755.

I look forward to your response in due cours.

Kind Regards
Trap

#2   AlanR

AlanR
  • Members
  • 3,711 posts

Posted 12 January 2006 - 05:31

Are you on iPowerweb?
Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux
Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

#3   trap

trap
  • Members
  • 54 posts

Posted 12 January 2006 - 07:43

No I am not. Has anyone got any advise for me.
Regards
Trap

#4   AlanR

AlanR
  • Members
  • 3,711 posts

Posted 12 January 2006 - 08:47

The reason I asked was we had a thread a few days ago where a user on iPower was subject to a worm attack which redirected the osC searches to an outside search engine.

That thread is here: http://forums.oscomm...pic=188411&st=0

but it sounds like it's not relevant to your situation although you may find it useful.

As to the permissions...

create a little script (you can name it anything, whoami.php would be good) with this as content.

<?php
// outputs the username that owns the running php/httpd process
// (on a system with the "whoami" executable in the path)
echo 'php is running as user: ' . exec('whoami');
?>

This will help you determine the permissions. Most of the files and folders only need to be accessed by php itself, that will tell you who php "is" and php needs access to the image folder for write.

In general (especially for images) back the privileges down till the store stops working. I don't understand why some servers want 777 for images, they must be badly set up or php is running as nobody or as root. Leaving any folder open to 777, especially on a system as widely used as osC, is asking for trouble.
Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux
Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

#5   trap

trap
  • Members
  • 54 posts

Posted 12 January 2006 - 08:54

Dear Alanr

Thank you for your assistance. I will look at the thread and try your suggestion. I will let you know what happens

Regards
Trap

#6   sheepiedog

sheepiedog
  • Members
  • 194 posts

Posted 18 January 2006 - 19:53

Trap - I have sent you an email. My sites have also been hacked in the same manner.
Please advise either here or reply to my email, any information you can give me on a solution or reason.
I am also on a different webhost than the one mentioned in this thread.

#7   trap

trap
  • Members
  • 54 posts

Posted 18 January 2006 - 22:20

Trap - I have sent you an email. My sites have also been hacked in the same manner.
Please advise either here or reply to my email, any information you can give me on a solution or reason.
I am also on a different webhost than the one mentioned in this thread.


Dear Sheepdogzz

Sorry to hear you too are having problems. It appears they got in through another clients outdated php script on the server, and this allowed the exposure to any file with 777. Remove the files .htaccess and the 2 php script that shouldn't be in the images folder. Usually you can tell by the date. Check your /temp and /tmp folder and any other folders/files that have 777 permissions. Or better still restore the whole site and change folders and files that have 777 permission to 755. At this stage our host has not resolved the 777 permission issue, other than changing them to 755.

The problems we face is that oscommerce requires certain folders and files to be set at 777 , and they do not function correctly even on 775 on our server. therefore we have to manually change the permission on the folders / files when we want to make changes to our site, then reset them to 755 when we have finished.

One suggestion was made that you may be able to use a chmod command within the script to automatically change the permission on the folders and files to 777 then after a short time change them back to 755. We have yet to apply this system as we are unsure of the script, however we have tried a contribution that appears to do a similar thing however it appears our server does not allow chmod throught php scripts. Which under the circumstances is probably a good thing. It just makes it hard.

If anyone has any other solutions I would be very grateful.

I hope I have assisted in some way, I would be interested to see what your host is finding out also. And any solutions they may have.

Regards
Trap

#8   Vger

Vger
  • Members
  • 16,978 posts

Posted 18 January 2006 - 22:30

It also searches through 777 files and injects some code so that when your site loads it calls the other files it has placed on your server


No files should have permissions of 777 or similar. File permissions should be no higher than 644. Most servers won't even allow files with permissions of 777 to run.

In addition, you can always restrict access to your folders via the use of .htaccess files - provided your server is Apache based.

Vger

#9   sheepiedog

sheepiedog
  • Members
  • 194 posts

Posted 18 January 2006 - 22:35

Trap - Thank you so much for your reply. I am also investigating this with my host. I trust you have had no troubles since changing them to 755....

Vger - the trouble is that oscommerce installation requires and the instructions say for these files to be chmod 777.

#10   trap

trap
  • Members
  • 54 posts

Posted 18 January 2006 - 22:38

No files should have permissions of 777 or similar. File permissions should be no higher than 644. Most servers won't even allow files with permissions of 777 to run.

In addition, you can always restrict access to your folders via the use of .htaccess files - provided your server is Apache based.

Vger


Thank you Vger We are finding out more and more about these 777 permissions. When you say restrict access using .htaccess what do we write in the .htaccess file and would this allow 777 permission to be used or would we still be required to manually change the files back and forth

Greatly Appreciate any assistance you can provide Vger

Sheepdogzz - No more problems since the permissions have been changed.

Regards
Trap

#11   Vger

Vger
  • Members
  • 16,978 posts

Posted 18 January 2006 - 22:43

The only files that require permissions of 777 or similar are the two configure.php files (and sometimes 644 will do) - and only for the duration of the install. The advice is always to change the permissions after the install is completed to either 644, 444 or 400 depending on your server set up.

Vger

#12   trap

trap
  • Members
  • 54 posts

Posted 18 January 2006 - 22:47

The only files that require permissions of 777 or similar are the two configure.php files (and sometimes 644 will do) - and only for the duration of the install. The advice is always to change the permissions after the install is completed to either 644, 444 or 400 depending on your server set up.

Vger


Vger,
Thank you for your response. I have tried 775, 755 for the /images, /temp, /tmp (folders required for ep) mainfile.php (required to change front page) and /pub folder. These folders do not work correctly on anything other than 777.

I have not tried 644, 444 or 400 as I figure if they don't work with 775 or 755 then they probably won't work on 644 etc.

I think it depends on the server setup.
Any other suggestions.

Regards
Trap

#13   Vger

Vger
  • Members
  • 16,978 posts

Posted 18 January 2006 - 22:53

You have to understand this - because it is pretty basic stuff. There is a vast difference between permissions on Folders and permissions on the Files in those folders.

I have not tried 644, 444 or 400 as I figure if they don't work with 775 or 755 then they probably won't work on 644 etc


I never suggested that you should try to change permisions on Folders to those values.

Vger

#14   trap

trap
  • Members
  • 54 posts

Posted 18 January 2006 - 23:01

You have to understand this - because it is pretty basic stuff. There is a vast difference between permissions on Folders and permissions on the Files in those folders.
I never suggested that you should try to change permisions on Folders to those values.

Vger


Thank you Vger,

The problem is its the folder that requires 777 permission, the files within are still 644. The expolit uses the permission on the folder to dump its unwanted files etc. If the Folder on the images (for eg) are anything other than 777 you cannot upload images etc. In the knowledge base it states the images directory needs 777 permission.

You mentioned a .htaccess file to protect. Would you be so kind as to provide what you would recommend the .htaccess file to have in it . Would this protect the 777 permission folder eg images from being expoited.

thank you for your assistance.
Trap

#15   sheepiedog

sheepiedog
  • Members
  • 194 posts

Posted 18 January 2006 - 23:07

Trap - my index.php in the root of my public_html was also replaced - any ideas what I can do to protect it ?
do i change the permissions on public_html ?

#16   trap

trap
  • Members
  • 54 posts

Posted 18 January 2006 - 23:10

Trap - my index.php in the root of my public_html was also replaced - any ideas what I can do to protect it ?
do i change the permissions on public_html ?

sheepiedog,

Not sure why your index.php file was replaced however all I can suggest is make sure that the permission for index.php is not set above 644. You may have set it at 777 at some stage. This exploit only attacks folders and any file that has 777 permission.
Hope this helps
trap

#17   AlanR

AlanR
  • Members
  • 3,711 posts

Posted 18 January 2006 - 23:12

Thank you Vger,

The problem is its the folder that requires 777 permission, the files within are still 644. The expolit uses the permission on the folder to dump its unwanted files etc. If the Folder on the images (for eg) are anything other than 777 you cannot upload images etc. \

Have you tried 755? I've never set /images to anything other than 755.
Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux
Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

#18   trap

trap
  • Members
  • 54 posts

Posted 18 January 2006 - 23:16

Have you tried 755? I've never set /images to anything other than 755.


AlanR
Yes have tried 755, this does not allow access. It depends on the server setup. Your server may have phpsuexec install which requires 755 and would not allow 777. This is not an option for us. Appreciate your suggestion.

Trap

#19   AlanR

AlanR
  • Members
  • 3,711 posts

Posted 18 January 2006 - 23:34

AlanR
Yes have tried 755, this does not allow access. It depends on the server setup. Your server may have phpsuexec install which requires 755 and would not allow 777.

No...

It's not running phpsuexec and I can set any level of permissions that I choose.

php runs as me (my user) the group is users of ftp. This is (to me) the most logical fashion to set up the system. What is php running as on your system? Read up some posts if you don't know, I posted a little script.
Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux
Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

#20   trap

trap
  • Members
  • 54 posts

Posted 18 January 2006 - 23:42

No...

It's not running phpsuexec and I can set any level of permissions that I choose.

php runs as me (my user) the group is users of ftp. This is (to me) the most logical fashion to set up the system. What is php running as on your system? Read up some posts if you don't know, I posted a little script.


Thank your for your reply. I will search for the script to find out what php is running at. I think it may be running as nobody. I assume this is the standard setup without running as cgi .

Regards
Trap