On 19 April 2010 17:18, Al <news@xxxxxxxxxxxxx> wrote: > > > On 4/19/2010 11:11 AM, Adam Richardson wrote: >> >> On Mon, Apr 19, 2010 at 10:59 AM, Al<news@xxxxxxxxxxxxx> wrote: >> >>> I'm working on a hosted website that was hacked and found something I >>> don't >>> fully understand. Thought someone here may know the answer. >>> >>> The site has 4 php malicious files in directories owned by "system" [php >>> created dirs on the site are named "nobody"] and permissions 755. >>> >>> Is there any way the files could have been written other than by ftp >>> access >>> or at the host root level? Clearly a php script couldn't. >>> >>> Thanks, Al.......... >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> Are there any other programming options enabled on the account (Perl, JSP, >> Ruby, etc?) Even if the files are PHP, any of those programming options >> can >> be configured to create the files. >> >> Additionally, a vulnerability in one of the libraries leveraged to provide >> the hosting environment could also have provided the entry (PHP makes for >> a >> capable deliverable, but it doesn't have to provide the key for a hacking >> situation.) >> >> Adam >> > > Are Perl, JSP, Ruby, etc. able to ignore the dir ownership and write > permissions on a Linux/Apache system? > I've seen an install of Trac hacked by a file-upload - it managed to write a cron job, which then wrote to other files. It's not just a question of whether your Apache server has the correct rights/permissions, it's equally a question of: is any other part of the system getting used against me. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind Flickr: http://www.flickr.com/photos/fake51 BeWelcome: Fake51 Couchsurfing: Fake51 </hype> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
