trap Posted January 12, 2006 Share Posted January 12, 2006 Dear all I have several oscommerce sites and they have been hacked by a script exploiting the 777 permissions on files and folders eg images folder What happens is the hackers script places 3 files, You can tell by the timestamp and the obvious that .php files are not usually in the images folder. They are usually something like. date.php, time.php and always a .htaccess. It also searches through 777 files and injects some code so that when your site loads it calls the other files it has placed on your server. It does this in EVERY world writeable directory and file it can find in that account. You may not even realise the site has been hacked unless you physically looked at the folders with 777 permission. eg images , backup etc. My question is this.... will oscommerce work correctly enabling photos to be uploaded and backups performed EP to work, etc if the 777 permissions are changed to 755. I look forward to your response in due cours. Kind Regards Trap Link to comment Share on other sites More sharing options...
AlanR Posted January 12, 2006 Share Posted January 12, 2006 Are you on iPowerweb? Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
trap Posted January 12, 2006 Author Share Posted January 12, 2006 No I am not. Has anyone got any advise for me. Regards Trap Link to comment Share on other sites More sharing options...
AlanR Posted January 12, 2006 Share Posted January 12, 2006 The reason I asked was we had a thread a few days ago where a user on iPower was subject to a worm attack which redirected the osC searches to an outside search engine. That thread is here: http://www.oscommerce.com/forums/index.php?showtopic=188411&st=0 but it sounds like it's not relevant to your situation although you may find it useful. As to the permissions... create a little script (you can name it anything, whoami.php would be good) with this as content. <?php // outputs the username that owns the running php/httpd process // (on a system with the "whoami" executable in the path) echo 'php is running as user: ' . exec('whoami'); ?> This will help you determine the permissions. Most of the files and folders only need to be accessed by php itself, that will tell you who php "is" and php needs access to the image folder for write. In general (especially for images) back the privileges down till the store stops working. I don't understand why some servers want 777 for images, they must be badly set up or php is running as nobody or as root. Leaving any folder open to 777, especially on a system as widely used as osC, is asking for trouble. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
trap Posted January 12, 2006 Author Share Posted January 12, 2006 Dear Alanr Thank you for your assistance. I will look at the thread and try your suggestion. I will let you know what happens Regards Trap Link to comment Share on other sites More sharing options...
sheepiedog Posted January 18, 2006 Share Posted January 18, 2006 Trap - I have sent you an email. My sites have also been hacked in the same manner. Please advise either here or reply to my email, any information you can give me on a solution or reason. I am also on a different webhost than the one mentioned in this thread. Link to comment Share on other sites More sharing options...
trap Posted January 18, 2006 Author Share Posted January 18, 2006 Trap - I have sent you an email. My sites have also been hacked in the same manner.Please advise either here or reply to my email, any information you can give me on a solution or reason. I am also on a different webhost than the one mentioned in this thread. Dear Sheepdogzz Sorry to hear you too are having problems. It appears they got in through another clients outdated php script on the server, and this allowed the exposure to any file with 777. Remove the files .htaccess and the 2 php script that shouldn't be in the images folder. Usually you can tell by the date. Check your /temp and /tmp folder and any other folders/files that have 777 permissions. Or better still restore the whole site and change folders and files that have 777 permission to 755. At this stage our host has not resolved the 777 permission issue, other than changing them to 755. The problems we face is that oscommerce requires certain folders and files to be set at 777 , and they do not function correctly even on 775 on our server. therefore we have to manually change the permission on the folders / files when we want to make changes to our site, then reset them to 755 when we have finished. One suggestion was made that you may be able to use a chmod command within the script to automatically change the permission on the folders and files to 777 then after a short time change them back to 755. We have yet to apply this system as we are unsure of the script, however we have tried a contribution that appears to do a similar thing however it appears our server does not allow chmod throught php scripts. Which under the circumstances is probably a good thing. It just makes it hard. If anyone has any other solutions I would be very grateful. I hope I have assisted in some way, I would be interested to see what your host is finding out also. And any solutions they may have. Regards Trap Link to comment Share on other sites More sharing options...
♥Vger Posted January 18, 2006 Share Posted January 18, 2006 It also searches through 777 files and injects some code so that when your site loads it calls the other files it has placed on your server No files should have permissions of 777 or similar. File permissions should be no higher than 644. Most servers won't even allow files with permissions of 777 to run. In addition, you can always restrict access to your folders via the use of .htaccess files - provided your server is Apache based. Vger Link to comment Share on other sites More sharing options...
sheepiedog Posted January 18, 2006 Share Posted January 18, 2006 Trap - Thank you so much for your reply. I am also investigating this with my host. I trust you have had no troubles since changing them to 755.... Vger - the trouble is that oscommerce installation requires and the instructions say for these files to be chmod 777. Link to comment Share on other sites More sharing options...
trap Posted January 18, 2006 Author Share Posted January 18, 2006 No files should have permissions of 777 or similar. File permissions should be no higher than 644. Most servers won't even allow files with permissions of 777 to run. In addition, you can always restrict access to your folders via the use of .htaccess files - provided your server is Apache based. Vger Thank you Vger We are finding out more and more about these 777 permissions. When you say restrict access using .htaccess what do we write in the .htaccess file and would this allow 777 permission to be used or would we still be required to manually change the files back and forth Greatly Appreciate any assistance you can provide Vger Sheepdogzz - No more problems since the permissions have been changed. Regards Trap Link to comment Share on other sites More sharing options...
♥Vger Posted January 18, 2006 Share Posted January 18, 2006 The only files that require permissions of 777 or similar are the two configure.php files (and sometimes 644 will do) - and only for the duration of the install. The advice is always to change the permissions after the install is completed to either 644, 444 or 400 depending on your server set up. Vger Link to comment Share on other sites More sharing options...
trap Posted January 18, 2006 Author Share Posted January 18, 2006 The only files that require permissions of 777 or similar are the two configure.php files (and sometimes 644 will do) - and only for the duration of the install. The advice is always to change the permissions after the install is completed to either 644, 444 or 400 depending on your server set up. Vger Vger, Thank you for your response. I have tried 775, 755 for the /images, /temp, /tmp (folders required for ep) mainfile.php (required to change front page) and /pub folder. These folders do not work correctly on anything other than 777. I have not tried 644, 444 or 400 as I figure if they don't work with 775 or 755 then they probably won't work on 644 etc. I think it depends on the server setup. Any other suggestions. Regards Trap Link to comment Share on other sites More sharing options...
♥Vger Posted January 18, 2006 Share Posted January 18, 2006 You have to understand this - because it is pretty basic stuff. There is a vast difference between permissions on Folders and permissions on the Files in those folders. I have not tried 644, 444 or 400 as I figure if they don't work with 775 or 755 then they probably won't work on 644 etc I never suggested that you should try to change permisions on Folders to those values. Vger Link to comment Share on other sites More sharing options...
trap Posted January 18, 2006 Author Share Posted January 18, 2006 You have to understand this - because it is pretty basic stuff. There is a vast difference between permissions on Folders and permissions on the Files in those folders.I never suggested that you should try to change permisions on Folders to those values. Vger Thank you Vger, The problem is its the folder that requires 777 permission, the files within are still 644. The expolit uses the permission on the folder to dump its unwanted files etc. If the Folder on the images (for eg) are anything other than 777 you cannot upload images etc. In the knowledge base it states the images directory needs 777 permission. You mentioned a .htaccess file to protect. Would you be so kind as to provide what you would recommend the .htaccess file to have in it . Would this protect the 777 permission folder eg images from being expoited. thank you for your assistance. Trap Link to comment Share on other sites More sharing options...
sheepiedog Posted January 18, 2006 Share Posted January 18, 2006 Trap - my index.php in the root of my public_html was also replaced - any ideas what I can do to protect it ? do i change the permissions on public_html ? Link to comment Share on other sites More sharing options...
trap Posted January 18, 2006 Author Share Posted January 18, 2006 Trap - my index.php in the root of my public_html was also replaced - any ideas what I can do to protect it ?do i change the permissions on public_html ? sheepiedog, Not sure why your index.php file was replaced however all I can suggest is make sure that the permission for index.php is not set above 644. You may have set it at 777 at some stage. This exploit only attacks folders and any file that has 777 permission. Hope this helps trap Link to comment Share on other sites More sharing options...
AlanR Posted January 18, 2006 Share Posted January 18, 2006 Thank you Vger, The problem is its the folder that requires 777 permission, the files within are still 644. The expolit uses the permission on the folder to dump its unwanted files etc. If the Folder on the images (for eg) are anything other than 777 you cannot upload images etc. \ Have you tried 755? I've never set /images to anything other than 755. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
trap Posted January 18, 2006 Author Share Posted January 18, 2006 Have you tried 755? I've never set /images to anything other than 755. AlanR Yes have tried 755, this does not allow access. It depends on the server setup. Your server may have phpsuexec install which requires 755 and would not allow 777. This is not an option for us. Appreciate your suggestion. Trap Link to comment Share on other sites More sharing options...
AlanR Posted January 18, 2006 Share Posted January 18, 2006 AlanRYes have tried 755, this does not allow access. It depends on the server setup. Your server may have phpsuexec install which requires 755 and would not allow 777. No... It's not running phpsuexec and I can set any level of permissions that I choose. php runs as me (my user) the group is users of ftp. This is (to me) the most logical fashion to set up the system. What is php running as on your system? Read up some posts if you don't know, I posted a little script. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
trap Posted January 18, 2006 Author Share Posted January 18, 2006 No... It's not running phpsuexec and I can set any level of permissions that I choose. php runs as me (my user) the group is users of ftp. This is (to me) the most logical fashion to set up the system. What is php running as on your system? Read up some posts if you don't know, I posted a little script. Thank your for your reply. I will search for the script to find out what php is running at. I think it may be running as nobody. I assume this is the standard setup without running as cgi . Regards Trap Link to comment Share on other sites More sharing options...
♥Vger Posted January 18, 2006 Share Posted January 18, 2006 You can use .htaccess to prevent access to files in a folder except when it originates from your website, but the security of the folders is something that is down to your web hosting company. They don't really appear to be on the ball on this problem. Vger Link to comment Share on other sites More sharing options...
trap Posted January 19, 2006 Author Share Posted January 19, 2006 You can use .htaccess to prevent access to files in a folder except when it originates from your website, but the security of the folders is something that is down to your web hosting company. They don't really appear to be on the ball on this problem. Vger Thank you Vger. Our host has been working on the problem, they have advised us that only phpsuexec will stop this from occuring, however it will also affect many other php scripts on the server including oscommerce. AlanR seems to be able to use 755 folder permissions (images directory) without phpsuexec I wonder how? Would anyone have any suggestions here? Any assistance is greatly appreciated. Trap Link to comment Share on other sites More sharing options...
AlanR Posted January 19, 2006 Share Posted January 19, 2006 Here: Name the script anything you like, whoami.php is good. It will tell you what user php is running as. <?php // outputs the username that owns the running php/httpd process // (on a system with the "whoami" executable in the path) echo 'php is running as user: ' . exec('whoami'); ?> Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management) Link to comment Share on other sites More sharing options...
trap Posted January 19, 2006 Author Share Posted January 19, 2006 Here: Name the script anything you like, whoami.php is good. It will tell you what user php is running as. <?php // outputs the username that owns the running php/httpd process // (on a system with the "whoami" executable in the path) echo 'php is running as user: ' . exec('whoami'); ?> Appreciate your assistance. Trap Link to comment Share on other sites More sharing options...
trap Posted January 19, 2006 Author Share Posted January 19, 2006 AlanR Thank you for the script. I utilised the script and php is running as nobody. How did you get (or do you get) php to run as user and not nobody appreciate you help Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.