777 folders hacked - please help
Posted: Mon Nov 03, 2008 5:04 pm
A few sites I'm involved with have a folder with 777 permissions to allow uploading of files from the front end or content management.
I realise that 777 permissions are far from ideal, but these were the only permissions that allowed uploading on the shared hosts I have used. Since Wordpress and many other major CMS apps also require these permissions to function, I hoped that the security hole caused by the 777 permissions might be a necessary evil. I took some precautions like ensuring the upload script in my own code was very tightly validated, and by putting a htaccess file in the folder preventing execution of all common file types.
However, the 777 folders on a few of these sites have now been hacked. A site using Wordpress, a site using ModX CMS, and a site using a custom upload script I wrote are affected. The hacking seems to have been automated by someone with access to the shared server as a whole. I can't see any attempts to exploit my scripts in the logs, but a PHP file with a name made up of random digits, and a htaccess file which redirects 404 errors to this script magically appeared in the 777 folders only. From googling around, it seems a common script left in 777 folders.
However, I am not seeing any fixes to workaround this. I have removed all 777 access for the moment, but that means I can't update the sites of course. Other approaches I have found are to use the chmod command to grant 777 permissions temporarily, but this won't work for me (because the folders are not owned by httpd I think), or to use ftp_connect and do the chmod each time I need it that way.
FTP code will work for me, but this means that I need to have my FTP details stored on the server and I think that might be a security hole too. I thought of creating new FTP users that only have access to the uploading folders, but I guess if someone can FTP there, they can upload a script to that folder that can let them find out or hack other stuff.
The only other option I see is storing the uploads in the database, but while I could implement that for my custom script, I don't think it's a runner for other apps like Wordpress.
I really need help here. I know what the issue is, but I just don't know how to fix it without raising more security headaches. My host just says file uploads should be avoided, but in the case of one affected site, it's the main point of the site, and for those using a CMS, it's not much good if they can't upload their photos and documents.
I am really hoping that somebody here can tell me the best practice for securing file uploading directories on standard shared hosting.
Thanks in advance.
I realise that 777 permissions are far from ideal, but these were the only permissions that allowed uploading on the shared hosts I have used. Since Wordpress and many other major CMS apps also require these permissions to function, I hoped that the security hole caused by the 777 permissions might be a necessary evil. I took some precautions like ensuring the upload script in my own code was very tightly validated, and by putting a htaccess file in the folder preventing execution of all common file types.
However, the 777 folders on a few of these sites have now been hacked. A site using Wordpress, a site using ModX CMS, and a site using a custom upload script I wrote are affected. The hacking seems to have been automated by someone with access to the shared server as a whole. I can't see any attempts to exploit my scripts in the logs, but a PHP file with a name made up of random digits, and a htaccess file which redirects 404 errors to this script magically appeared in the 777 folders only. From googling around, it seems a common script left in 777 folders.
However, I am not seeing any fixes to workaround this. I have removed all 777 access for the moment, but that means I can't update the sites of course. Other approaches I have found are to use the chmod command to grant 777 permissions temporarily, but this won't work for me (because the folders are not owned by httpd I think), or to use ftp_connect and do the chmod each time I need it that way.
FTP code will work for me, but this means that I need to have my FTP details stored on the server and I think that might be a security hole too. I thought of creating new FTP users that only have access to the uploading folders, but I guess if someone can FTP there, they can upload a script to that folder that can let them find out or hack other stuff.
The only other option I see is storing the uploads in the database, but while I could implement that for my custom script, I don't think it's a runner for other apps like Wordpress.
I really need help here. I know what the issue is, but I just don't know how to fix it without raising more security headaches. My host just says file uploads should be avoided, but in the case of one affected site, it's the main point of the site, and for those using a CMS, it's not much good if they can't upload their photos and documents.
I am really hoping that somebody here can tell me the best practice for securing file uploading directories on standard shared hosting.
Thanks in advance.