Disable Write Permissions

[OJM]

Hi,

Is there an easy way I can disable write permissions on my directories?

The reason I ask, is because a hacker is currently attacking WebWizForums by uploading a number of files (when upload is accessible on WWF) which saves and replaces the following files in every directory it can;

default.asp
default.cfm
default.htm
default.html
default.php
index.asp
index.cfm
index.htm
index.html
index.php

This in turn means that people are faced with the hackers page, when they visit sites and directories within them.

More info can be found here, if people are interested; http://www.webwizguide.info/bbs/forum_posts.asp?TID=17071&PN=1

Thanks in advance, and fingers crossed that no-one here gets attacked!

 

[Stephen]

That is very common, a number of people have been hit by it, always a turkish hacker group is doing it.

There is not really any safe way to "disable" write permissions wihtout having major adverse effects, the best thing to do is to prevent ASP pages from being uploaded by the uploader.

 

[OJM]

Ah right. So it's just ASP pages which seem to give the hacker the upper hand? Through WWF, I've only enabled image files for upload.

If I allow zip or rar files, will the hacker be able to upload the ASP files compressed, then uncompress them somehow?

 

[Stephen]

I have seen one zip file that was able to be extracted somehow, and I can not promise you they have not found a way around the file extension limits.
Most of the time they have a file called tool.asp that is a script that just places those files in every folder with the specified content.

 

[OJM]

Ah right ok. Might be best to only allow trusted members the option to upload files then.

Cheers for the info!