Hacked 777 permission folders and files

[trap]

Dear all

 

I have several oscommerce sites and they have been hacked by a script exploiting the 777 permissions on files and folders eg images folder

 

What happens is the hackers script places 3 files, You can tell by the timestamp and the obvious that .php files are not usually in the images folder. They are usually something like. date.php, time.php and always a .htaccess. It also searches through 777 files and injects some code so that when your site loads it calls the other files it has placed on your server. It does this in EVERY world writeable directory and file it can find in that account. You may not even realise the site has been hacked unless you physically looked at the folders with 777 permission. eg images , backup etc.

 

My question is this.... will oscommerce work correctly enabling photos to be uploaded and backups performed EP to work, etc if the 777 permissions are changed to 755.

 

I look forward to your response in due cours.

 

Kind Regards

Trap

[AlanR]

Are you on iPowerweb?

[trap]

No I am not. Has anyone got any advise for me.

Regards

Trap

[AlanR]

The reason I asked was we had a thread a few days ago where a user on iPower was subject to a worm attack which redirected the osC searches to an outside search engine.

 

That thread is here: http://www.oscommerce.com/forums/index.php?showtopic=188411&st=0

 

but it sounds like it's not relevant to your situation although you may find it useful.

 

As to the permissions...

 

create a little script (you can name it anything, whoami.php would be good) with this as content.

 

<?php
// outputs the username that owns the running php/httpd process
// (on a system with the "whoami" executable in the path)
echo 'php is running as user: ' . exec('whoami');
?>

 

This will help you determine the permissions. Most of the files and folders only need to be accessed by php itself, that will tell you who php "is" and php needs access to the image folder for write.

 

In general (especially for images) back the privileges down till the store stops working. I don't understand why some servers want 777 for images, they must be badly set up or php is running as nobody or as root. Leaving any folder open to 777, especially on a system as widely used as osC, is asking for trouble.

[trap]

Dear Alanr

 

Thank you for your assistance. I will look at the thread and try your suggestion. I will let you know what happens

 

Regards

Trap

[sheepiedog]

Trap - I have sent you an email. My sites have also been hacked in the same manner.

Please advise either here or reply to my email, any information you can give me on a solution or reason.

I am also on a different webhost than the one mentioned in this thread.

[trap]

Trap - I have sent you an email. My sites have also been hacked in the same manner.

Please advise either here or reply to my email, any information you can give me on a solution or reason.

I am also on a different webhost than the one mentioned in this thread.

 

Dear Sheepdogzz

 

Sorry to hear you too are having problems. It appears they got in through another clients outdated php script on the server, and this allowed the exposure to any file with 777. Remove the files .htaccess and the 2 php script that shouldn't be in the images folder. Usually you can tell by the date. Check your /temp and /tmp folder and any other folders/files that have 777 permissions. Or better still restore the whole site and change folders and files that have 777 permission to 755. At this stage our host has not resolved the 777 permission issue, other than changing them to 755.

 

The problems we face is that oscommerce requires certain folders and files to be set at 777 , and they do not function correctly even on 775 on our server. therefore we have to manually change the permission on the folders / files when we want to make changes to our site, then reset them to 755 when we have finished.

 

One suggestion was made that you may be able to use a chmod command within the script to automatically change the permission on the folders and files to 777 then after a short time change them back to 755. We have yet to apply this system as we are unsure of the script, however we have tried a contribution that appears to do a similar thing however it appears our server does not allow chmod throught php scripts. Which under the circumstances is probably a good thing. It just makes it hard.

 

If anyone has any other solutions I would be very grateful.

 

I hope I have assisted in some way, I would be interested to see what your host is finding out also. And any solutions they may have.

 

Regards

Trap

[♥Vger]

It also searches through 777 files and injects some code so that when your site loads it calls the other files it has placed on your server

 

No files should have permissions of 777 or similar. File permissions should be no higher than 644. Most servers won't even allow files with permissions of 777 to run.

 

In addition, you can always restrict access to your folders via the use of .htaccess files - provided your server is Apache based.

 

Vger

[sheepiedog]

Trap - Thank you so much for your reply. I am also investigating this with my host. I trust you have had no troubles since changing them to 755....

 

Vger - the trouble is that oscommerce installation requires and the instructions say for these files to be chmod 777.

[trap]

No files should have permissions of 777 or similar. File permissions should be no higher than 644. Most servers won't even allow files with permissions of 777 to run.

 

In addition, you can always restrict access to your folders via the use of .htaccess files - provided your server is Apache based.

 

Vger

 

Thank you Vger We are finding out more and more about these 777 permissions. When you say restrict access using .htaccess what do we write in the .htaccess file and would this allow 777 permission to be used or would we still be required to manually change the files back and forth

 

Greatly Appreciate any assistance you can provide Vger

 

Sheepdogzz - No more problems since the permissions have been changed.

 

Regards

Trap

[♥Vger]

The only files that require permissions of 777 or similar are the two configure.php files (and sometimes 644 will do) - and only for the duration of the install. The advice is always to change the permissions after the install is completed to either 644, 444 or 400 depending on your server set up.

 

Vger

[trap]

The only files that require permissions of 777 or similar are the two configure.php files (and sometimes 644 will do) - and only for the duration of the install. The advice is always to change the permissions after the install is completed to either 644, 444 or 400 depending on your server set up.

 

Vger

 

Vger,

Thank you for your response. I have tried 775, 755 for the /images, /temp, /tmp (folders required for ep) mainfile.php (required to change front page) and /pub folder. These folders do not work correctly on anything other than 777.

 

I have not tried 644, 444 or 400 as I figure if they don't work with 775 or 755 then they probably won't work on 644 etc.

 

I think it depends on the server setup.

Any other suggestions.

 

Regards

Trap

[♥Vger]

You have to understand this - because it is pretty basic stuff. There is a vast difference between permissions on Folders and permissions on the Files in those folders.

 

I have not tried 644, 444 or 400 as I figure if they don't work with 775 or 755 then they probably won't work on 644 etc

 

I never suggested that you should try to change permisions on Folders to those values.

 

Vger

[trap]

You have to understand this - because it is pretty basic stuff. There is a vast difference between permissions on Folders and permissions on the Files in those folders.

I never suggested that you should try to change permisions on Folders to those values.

 

Vger

 

Thank you Vger,

 

The problem is its the folder that requires 777 permission, the files within are still 644. The expolit uses the permission on the folder to dump its unwanted files etc. If the Folder on the images (for eg) are anything other than 777 you cannot upload images etc. In the knowledge base it states the images directory needs 777 permission.

 

You mentioned a .htaccess file to protect. Would you be so kind as to provide what you would recommend the .htaccess file to have in it . Would this protect the 777 permission folder eg images from being expoited.

 

thank you for your assistance.

Trap

[sheepiedog]

Trap - my index.php in the root of my public_html was also replaced - any ideas what I can do to protect it ?

do i change the permissions on public_html ?

[trap]

Trap - my index.php in the root of my public_html was also replaced - any ideas what I can do to protect it ?

do i change the permissions on public_html ?

sheepiedog,

 

Not sure why your index.php file was replaced however all I can suggest is make sure that the permission for index.php is not set above 644. You may have set it at 777 at some stage. This exploit only attacks folders and any file that has 777 permission.

Hope this helps

trap

[AlanR]

Thank you Vger,

 

The problem is its the folder that requires 777 permission, the files within are still 644. The expolit uses the permission on the folder to dump its unwanted files etc. If the Folder on the images (for eg) are anything other than 777 you cannot upload images etc. \

Have you tried 755? I've never set /images to anything other than 755.

[trap]

Have you tried 755? I've never set /images to anything other than 755.

 

AlanR

Yes have tried 755, this does not allow access. It depends on the server setup. Your server may have phpsuexec install which requires 755 and would not allow 777. This is not an option for us. Appreciate your suggestion.

 

Trap

[AlanR]

AlanR

Yes have tried 755, this does not allow access. It depends on the server setup. Your server may have phpsuexec install which requires 755 and would not allow 777.

No...

 

It's not running phpsuexec and I can set any level of permissions that I choose.

 

php runs as me (my user) the group is users of ftp. This is (to me) the most logical fashion to set up the system. What is php running as on your system? Read up some posts if you don't know, I posted a little script.

[trap]

No...

 

It's not running phpsuexec and I can set any level of permissions that I choose.

 

php runs as me (my user) the group is users of ftp. This is (to me) the most logical fashion to set up the system. What is php running as on your system? Read up some posts if you don't know, I posted a little script.

 

Thank your for your reply. I will search for the script to find out what php is running at. I think it may be running as nobody. I assume this is the standard setup without running as cgi .

 

Regards

Trap

[♥Vger]

You can use .htaccess to prevent access to files in a folder except when it originates from your website, but the security of the folders is something that is down to your web hosting company. They don't really appear to be on the ball on this problem.

 

Vger

[trap]

You can use .htaccess to prevent access to files in a folder except when it originates from your website, but the security of the folders is something that is down to your web hosting company. They don't really appear to be on the ball on this problem.

 

Vger

Thank you Vger. Our host has been working on the problem, they have advised us that only phpsuexec will stop this from occuring, however it will also affect many other php scripts on the server including oscommerce.

 

AlanR seems to be able to use 755 folder permissions (images directory) without phpsuexec I wonder how? Would anyone have any suggestions here?

 

Any assistance is greatly appreciated.

 

Trap

[AlanR]

Here:

 

Name the script anything you like, whoami.php is good. It will tell you what user php is running as.

 

<?php
// outputs the username that owns the running php/httpd process
// (on a system with the "whoami" executable in the path)
echo 'php is running as user: ' . exec('whoami');
?>

[trap]

Here:

 

Name the script anything you like, whoami.php is good. It will tell you what user php is running as.

 

<?php
// outputs the username that owns the running php/httpd process
// (on a system with the "whoami" executable in the path)
echo 'php is running as user: ' . exec('whoami');
?>

 

Appreciate your assistance.

 

Trap

[trap]

AlanR

 

Thank you for the script. I utilised the script and php is running as nobody. How did you get (or do you get) php to run as user and not nobody

 

appreciate you help