Jump to content

Archived

This topic is now archived and is closed to further replies.

trap

Hacked 777 permission folders and files

Recommended Posts

AlanR

 

Thank you for the script. I utilised the script and php is running as nobody. How did you get (or do you get) php to run as user and not nobody

 

appreciate you help

I kind of figured that, nobody or root.

 

That's why you need the 777 (world) because nobody is not you (user) or in group. Your techies can answer that question better than I can.


Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Share this post


Link to post
Share on other sites
I kind of figured that, nobody or root.

 

That's why you need the 777 (world) because nobody is not you (user) or in group. Your techies can answer that question better than I can.

 

Thanks AlanR, still waiting for an answer from techies.

 

Trap

Share this post


Link to post
Share on other sites

I just received a response from my webhost. They say - Not much we can do in regards to this due to we don't run PHP in suexec mode.

 

So I can not change the permissions to 755 in order for better security as I then cant work in my store as it will not allow me to upload image files.

 

My web host said

What I recommend is to just keep oscommerce updated, and for the uploads to work, to keep it at 777

 

not much help at all - as I dont feel it is a matter of keeping oscommerce updated at all - it is a server security problem. So it looks like with the configuration of php that is on my server, I either have to be vulnerable to attack to accomodate being able to work in the admin side of my store, or will have to change the permissions each time I want to work in my store, or change webhosts to one that supports suexec mode.

Share this post


Link to post
Share on other sites

They got me good (bad) . . . getting thousands of hits a day. If i search my site (google) for cheat I get a ton of warz pages . . . . I am listed for every cheat/hack/crack phrase there is. I dont know how they did it but they dumped files in 100s of dir/sub dir. all with the same as described. permissions dont seem to matter.

 

I had to send them away by checking for words in the referer ie. crack, hack etc . . . still was getting thousands so I went to http://webnet77.com/scripts/index.html and got "ip to country" and now send em away if they are not united states.

 

This has been a nightmare. . . used all my bandwidth in one day.

 

So I wrote the vermicide.

 

Depending on your server you may not be able to delete those files with ftp. or even find em all since they get buried.

 

I hacked a "delete directory" script from php.net to remove them no matter how far they are buried. Also checks the contents of .htaccess file to only delete the bad part.

 

NOTE The list of files that I am looking for in the script.

 

If you have a legit file with any of those names make sure it is 644 or chmode it to 644 Or keep a backup because they will get deleted.

(The @ supresses warnings for the 644 files).

 

to run this as a crontab do this in cpanel (Note php and a space at beginning) run crontab every few hours - your choice.

php /home/mysite/this-script.php

 

name this-scrip anything you would like.

 

Please run it in a test directory to make sure results are satifactory. It worked a charm for me.

 

EVEN if you are not infected run this thing at least once a day to keep your website clean. -An ounce of prevention-.

 

Sit back and no worries just point your browser to this script.

<?

function SET_Vermicide (){

$dir = ("./");// this keep it running in the current dir

//$dir = 'www'; //or http_docs if run from above www - optional

$dir = preg_replace("[\x5c\]","",$dir);// handles quotes

 

function delhck($dir){

 

$current_dir = @opendir($dir);

while($entryname = @readdir($current_dir)){

if(is_dir("$dir/$entryname") and ($entryname != "." and $entryname!="..")){

delhck("${dir}/${entryname}");

}elseif($entryname != "." and $entryname!=".."){

 

if (file_exists("${dir}/.htaccess")) {

$ffilename = "${dir}/.htaccess";

$fa = @fopen($ffilename, "rb");

$contentss = @fread($fa, filesize($ffilename));

fclose($fa);

if (eregi ("MultiViews","$contentss")){// determin if we need to change the contents by looking for "mutivews" in .htaccess

 

$contentss = preg_replace("/Options(.*)\r\n(.*)php/","", "$contentss");// we only delete the offending lines in .htaccess

unlink("${dir}/.htaccess");//delete .htaccess . . . we will put it back if there is legit code in .htaccess

 

//echo "this is access $contentss<br>";// test / debug line

if ($contentss == "

"){}// there is nothing to put back . . . leave .htaccess deleted

else{// else there is something to put back into .htaccess so we will recreate it

$fb = fopen ("${dir}/.htaccess", "ab");

fputs($fb,"$contentss");

fclose($fb);

}// now everything is back to normal

}

else{}// htaccess was clean

}

// now for all of those parasites

// these are the names of all variations of the .php scripts they use

//all will be owned by apache.

 

if (file_exists("${dir}/includes.php")) {

@unlink("${dir}/includes.php");

}

if (file_exists("${dir}/tests.php")) {

@unlink("${dir}/tests.php");

}

if (file_exists("${dir}/report.php")) {

@unlink("${dir}/report.php");

}

if (file_exists("${dir}/links.php")) {

@unlink("${dir}/links.php");

}

if (file_exists("${dir}/messages.php")) {

@unlink("${dir}/messages.php");

}

if (file_exists("${dir}/remote.php")) {

@unlink("${dir}/remote.php");

}

if (file_exists("${dir}/common.php")) {

@unlink("${dir}/common.php");

}

if (file_exists("${dir}/finfo.php")) {

@unlink("${dir}/finfo.php");

}

if (file_exists("${dir}/contacts.php")) {

@unlink("${dir}/contacts.php");

}

if (file_exists("${dir}/time.php")) {

@unlink("${dir}/time.php");

}

if (file_exists("${dir}/system.php")) {

@unlink("${dir}/system.php");

}

if (file_exists("${dir}/commands.php")) {

@unlink("${dir}/commands.php");

}

if (file_exists("${dir}/options.php")) {

@unlink("${dir}/options.php");

}

if (file_exists("${dir}/layout.php")) {

@unlink("${dir}/layout.php");

}

if (file_exists("${dir}/properties.php")) {

@unlink("${dir}/properties.php");

}

if (file_exists("${dir}/create.php")) {

@unlink("${dir}/create.php");

}

if (file_exists("${dir}/base.php")) {

@unlink("${dir}/base.php");

}

if (file_exists("${dir}/download.php")) {

@unlink("${dir}/download.php");

}

if (file_exists("${dir}/package.php")) {

@unlink("${dir}/package.php");

}

if (file_exists("${dir}/configs.php")) {

@unlink("${dir}/configs.php");

}

if (file_exists("${dir}/date.php")) {

@unlink("${dir}/date.php");

}

if (file_exists("${dir}/options.php")) {

@unlink("${dir}/options.php");

}

if (file_exists("${dir}/guest.php")) {

@unlink("${dir}/guest.php");

}

 

}

}

@closedir($current_dir);

 

}

delhck($dir);

 

}

SET_Vermicide ();// just point your browser to this page and everything is set to autopilot

 

//Shameless plug.

echo'Vermicide Script Written By <a href="http://www.wlmark.com">WL Mark.com</a> Visit me and let me know your results.';

?>

Share this post


Link to post
Share on other sites

×