777 folders hacked - please help
Moderator: General Moderators
777 folders hacked - please help
A few sites I'm involved with have a folder with 777 permissions to allow uploading of files from the front end or content management.
I realise that 777 permissions are far from ideal, but these were the only permissions that allowed uploading on the shared hosts I have used. Since Wordpress and many other major CMS apps also require these permissions to function, I hoped that the security hole caused by the 777 permissions might be a necessary evil. I took some precautions like ensuring the upload script in my own code was very tightly validated, and by putting a htaccess file in the folder preventing execution of all common file types.
However, the 777 folders on a few of these sites have now been hacked. A site using Wordpress, a site using ModX CMS, and a site using a custom upload script I wrote are affected. The hacking seems to have been automated by someone with access to the shared server as a whole. I can't see any attempts to exploit my scripts in the logs, but a PHP file with a name made up of random digits, and a htaccess file which redirects 404 errors to this script magically appeared in the 777 folders only. From googling around, it seems a common script left in 777 folders.
However, I am not seeing any fixes to workaround this. I have removed all 777 access for the moment, but that means I can't update the sites of course. Other approaches I have found are to use the chmod command to grant 777 permissions temporarily, but this won't work for me (because the folders are not owned by httpd I think), or to use ftp_connect and do the chmod each time I need it that way.
FTP code will work for me, but this means that I need to have my FTP details stored on the server and I think that might be a security hole too. I thought of creating new FTP users that only have access to the uploading folders, but I guess if someone can FTP there, they can upload a script to that folder that can let them find out or hack other stuff.
The only other option I see is storing the uploads in the database, but while I could implement that for my custom script, I don't think it's a runner for other apps like Wordpress.
I really need help here. I know what the issue is, but I just don't know how to fix it without raising more security headaches. My host just says file uploads should be avoided, but in the case of one affected site, it's the main point of the site, and for those using a CMS, it's not much good if they can't upload their photos and documents.
I am really hoping that somebody here can tell me the best practice for securing file uploading directories on standard shared hosting.
Thanks in advance.
I realise that 777 permissions are far from ideal, but these were the only permissions that allowed uploading on the shared hosts I have used. Since Wordpress and many other major CMS apps also require these permissions to function, I hoped that the security hole caused by the 777 permissions might be a necessary evil. I took some precautions like ensuring the upload script in my own code was very tightly validated, and by putting a htaccess file in the folder preventing execution of all common file types.
However, the 777 folders on a few of these sites have now been hacked. A site using Wordpress, a site using ModX CMS, and a site using a custom upload script I wrote are affected. The hacking seems to have been automated by someone with access to the shared server as a whole. I can't see any attempts to exploit my scripts in the logs, but a PHP file with a name made up of random digits, and a htaccess file which redirects 404 errors to this script magically appeared in the 777 folders only. From googling around, it seems a common script left in 777 folders.
However, I am not seeing any fixes to workaround this. I have removed all 777 access for the moment, but that means I can't update the sites of course. Other approaches I have found are to use the chmod command to grant 777 permissions temporarily, but this won't work for me (because the folders are not owned by httpd I think), or to use ftp_connect and do the chmod each time I need it that way.
FTP code will work for me, but this means that I need to have my FTP details stored on the server and I think that might be a security hole too. I thought of creating new FTP users that only have access to the uploading folders, but I guess if someone can FTP there, they can upload a script to that folder that can let them find out or hack other stuff.
The only other option I see is storing the uploads in the database, but while I could implement that for my custom script, I don't think it's a runner for other apps like Wordpress.
I really need help here. I know what the issue is, but I just don't know how to fix it without raising more security headaches. My host just says file uploads should be avoided, but in the case of one affected site, it's the main point of the site, and for those using a CMS, it's not much good if they can't upload their photos and documents.
I am really hoping that somebody here can tell me the best practice for securing file uploading directories on standard shared hosting.
Thanks in advance.
Re: 777 folders hacked - please help
How to solve the "777 issue" 
We have:
We want it to be:
1. by using your FTP account chmod 0777 the parent directory (i.e. mysite);
2. write a simple php file that will create the target directory (i.e. mysite/uploads) - optionally, you may also set other than 0755 permitions by using chmod (e.g. 0700);
3. execute the PHP script by using your browser;
4. by using your FTP account chmod 0755 the parent directory (i.e. mysite);
5. delete the PHP script file;
Voila
If it doesn't help you, inform your hosting provider.
We have:
Code: Select all
mysite ftpuser:ftpgroup 0755
mysite/uploads ftpuser:ftpgroup 0777Code: Select all
mysite ftpuser:ftpgroup 0755
mysite/uploads httpduser:httpdgroup 07552. write a simple php file that will create the target directory (i.e. mysite/uploads) - optionally, you may also set other than 0755 permitions by using chmod (e.g. 0700);
3. execute the PHP script by using your browser;
4. by using your FTP account chmod 0755 the parent directory (i.e. mysite);
5. delete the PHP script file;
Voila
If it doesn't help you, inform your hosting provider.
There are 10 types of people in this world, those who understand binary and those who don't
Re: 777 folders hacked - please help
Thank you so very much for replying Vlad. I'll give that a go and let you know how I get on.
Re: 777 folders hacked - please help
I got this working which is a big relief. On some sites I had the 777 folder outside the web root though, and I am wondering if there is a technique that will work for creating those folders with the correct owner and 755 permissions, or whether I will need to bring these folders under the web root instead? I'm not sure whether a 777 outside the web root (can't execute the scripts etc) or a 755 httpd owned folder under webroot is better in this case?
The hacker was able to put php and htaccess files in all the 777 folders. If there is a repeat hack and someone gets onto the shared server via another site etc, will they be the httpd user and therefore still be able to write to the 755 httpd folders?
Many thanks,
Daisy
The hacker was able to put php and htaccess files in all the 777 folders. If there is a repeat hack and someone gets onto the shared server via another site etc, will they be the httpd user and therefore still be able to write to the 755 httpd folders?
Many thanks,
Daisy
Re: 777 folders hacked - please help
daisy wrote:I got this working which is a big relief. On some sites I had the 777 folder outside the web root though, and I am wondering if there is a technique that will work for creating those folders with the correct owner and 755 permissions, or whether I will need to bring these folders under the web root instead? I'm not sure whether a 777 outside the web root (can't execute the scripts etc) or a 755 httpd owned folder under webroot is better in this case?
Try it ... it may be affected by some security restrictions - such as open_basedir directive.
Moving uploaded files outside the webroot directory is in general more secure - no PHP processing, no direct access, etc.
That's why I put the last senstence in my previous postdaisy wrote:The hacker was able to put php and htaccess files in all the 777 folders. If there is a repeat hack and someone gets onto the shared server via another site etc, will they be the httpd user and therefore still be able to write to the 755 httpd folders?
There are 10 types of people in this world, those who understand binary and those who don't
Re: 777 folders hacked - please help
so in other words vlad, while making this 755 change is better than having folders at 777, i'll still be open to the same sort of hack?
If i am looking for more secure shared hosting, what question do i need to ask to ensure that the situation won't be the same? should i only consider hosts with suexec (I don't know much about this, but I often see if mentioned when researching uploads)? Or should I get a guarantee that there is a different web/httpd user for each site (if that's even possible)? I just want to make sure that I don't move host for nothing...
Many thanks for all your help on this - it is much appreciated.
If i am looking for more secure shared hosting, what question do i need to ask to ensure that the situation won't be the same? should i only consider hosts with suexec (I don't know much about this, but I often see if mentioned when researching uploads)? Or should I get a guarantee that there is a different web/httpd user for each site (if that's even possible)? I just want to make sure that I don't move host for nothing...
Many thanks for all your help on this - it is much appreciated.
Re: 777 folders hacked - please help
Hm, i was under the impression 755 would only allow read and execute to the directory, so if he tries uploading a file to that directory he won't be able to due to no write permissions?
Re: 777 folders hacked - please help
Hi infolock,
I spoke with another web host who are used to this attack happening to their shared servers. They then clear out the unwanted files out of people's accounts automatically to undo the damage, and work out how the hacker got in and address that site.
They confirmed that when hackers gain access through a vulnerable site in this way that they do so as the web user, rather than as the owner of an individual account. Therefore the 755 folders owned by the web user are as good to them as 755, although I don't know whether their hack scripts only look for 777 folders. The 755 folders have the added disadvantage of not being able to be managed via FTP. In general though, I'd have thought that anything is better than 777...
The host did suggest taking the FTP approach instead, as since Joomla has started taking this approach, these types of attacks have lessened significantly in their experience. A new FTP user who only has access to the uploads folder should be set up for this. So, I guess I may try that, although for some reason it still makes me feel a little uneasy!?
I spoke with another web host who are used to this attack happening to their shared servers. They then clear out the unwanted files out of people's accounts automatically to undo the damage, and work out how the hacker got in and address that site.
They confirmed that when hackers gain access through a vulnerable site in this way that they do so as the web user, rather than as the owner of an individual account. Therefore the 755 folders owned by the web user are as good to them as 755, although I don't know whether their hack scripts only look for 777 folders. The 755 folders have the added disadvantage of not being able to be managed via FTP. In general though, I'd have thought that anything is better than 777...
The host did suggest taking the FTP approach instead, as since Joomla has started taking this approach, these types of attacks have lessened significantly in their experience. A new FTP user who only has access to the uploads folder should be set up for this. So, I guess I may try that, although for some reason it still makes me feel a little uneasy!?
Re: 777 folders hacked - please help
It's up to the hosting provider to secure its service (suexec, mod_peruser, chroot, etc.) so you have the right to insist it.
There are 10 types of people in this world, those who understand binary and those who don't