Hackers

Discussion in 'H-Sphere Reseller Hosting' started by Bunchadogs, Jun 17, 2010.

  1. Bunchadogs

    Bunchadogs Perch

    Cleaning up some user sites that were hacked...joy...

    Every folder has three files, one htaccess and two .php files (the php files have a random numbers as file names, like 48672.php).

    The problem is, all of these files have httpd:httpd for the user/group, and some times I'm not able to delete them!

    Any suggestions?

    Also, is there any way to get the details on bandwidth used? For instance, the logs only show hits to files like index.php and main.php...but the bandwidth shows 2+GB used!

    12kb file X 3,000 hits does NOT equal 2 GB bandwidth!!
    I want to make sure there's not more garbage or illegal files stored somewhere on the site.
  2. Stephen

    Stephen US Operations Staff Member

    the likely means it is happening though a web based uploader/exploit in a page somewhere there.

    Send a ticket and staff can either reset permissions for you, or delete the files if you put in ticket.
  3. Bunchadogs

    Bunchadogs Perch

    Thanks!

    The culprit was a form that needed some files and folders with 777 permissions...

    I did find a pretty handy PHP script that (I'm totally guessing here, I'm not an expert) must run as the httpd user, and resets all permissions on files and folders. Then I've been able to go back in via FTP and delete everything.

    I assume when you say the staff could reset permissions, they could actually just reset the ownership of the file/folder?

    Is this a simple process - could they just take a user or site and reset ALL files and folders to the ftp or account user, and then I could login and setup permissions as needed?
  4. Stephen

    Stephen US Operations Staff Member

    Yes they would set 'sticky' permissions that go through the entire site with proper permissions, and then you can set via FTP 777 only on the needed folders(and make sure the uploader only has limited upload allow on certain files if at all possible)
  5. mohit

    mohit Guppy

    just scan your website with acunetix vulnerbility scanner
    and check if its having any put method enabled on the root folder of your website
  6. liming

    liming Perch

  7. Stephen

    Stephen US Operations Staff Member

    It all depends on setup and config, and it is an adverse risk. It is not a BAD thing, certain places have to be 777, but some people just make an entire domain 777, and that is not good.

    It is the same anywhere if you extend too many permissions, it bring about possibly bad consequences. If you set everyone to read/write/modify on windows, linux, mac etc you are just asking for trouble, as most places do not need such permissions.

    Over granting of permissions is a problem not just on web apps but in corporate networks as well. I won't explain this further but some of the content seen on corporate networks that is thought to be secured is scary, esp with the small size of wifi APs these days and how easy it is to drop them into a network at an office and never be seen.
  8. liming

    liming Perch

    Thanks Stephen :)

    One quick question if you don't mind. Suppose the directory that needs 777 is strictly for uploading/viewing images.

    In that case would disabling php for that directory to make it safer? Or would that just give me a false sense of security?
  9. Stephen

    Stephen US Operations Staff Member

    It will make it safer to my understanding, Tanmaya can more properly reply it I will ask for his input tomorrow (either via me or him directly)

    It is always good (again regardless of platform/language) to restrict upload file types to only the kind you wish and not allow double extensions or normal script processing file extensions.
  10. mohit

    mohit Guppy

    well restrict the normal user to upload any php file on the website check the extention of the file and also restict the upload to a specific folder, and name the folder with some unknown names dont ever name the folder where u are uploading files as "uploads"

    and try to block these folders in robots.txt file so that the files or folder is not listed in any search engine
  11. mohit

    mohit Guppy

    Hackers take advantage of different security flaws in a web hosting infrastructure and exploit the vulnerability to compromise the system. Common security flaws that can lead to acompromise can be categorized as



    ----------Insufficient network boundary security controls
    ----------Flaws or bugs in web hosting software (OS, application etc)
    ----------Insecure design and coding of hosted application
    ----------Weak permissions
    ----------Weak password
    ----------Social engineering

    An attacker can adopt various hacking techniques or tools to exploit or take advantage of the above mentioned security flaws.
  12. liming

    liming Perch

    Thanks Stephen and mohit :)

Share This Page

JodoHost - 26,000 hosting end-users in 100 countries
Plesk Web Hosting
VPS Hosting
H-Sphere Web Hosting
Other Services