------------ Original Message ------------ > Date: Saturday, October 04, 2014 13:04:53 +1000 > From: Peter West <pbw@xxxxxxxxx> > To: php-general <php-general@xxxxxxxxxxxxx> > Subject: Re: Re: hacked!! >> > On 4 Oct 2014, at 12:51 pm, Jim Giner > <jim.giner@xxxxxxxxxxxxxxxxxx> wrote: > >> On 10/3/2014 8:04 PM, Richard wrote: >>> >>> >>> ------------ Original Message ------------ >>>> Date: Friday, October 03, 2014 19:51:59 -0400 >>>> From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx> >>>> To: php-general@xxxxxxxxxxxxx >>>> Subject: Re: Re: hacked!! >>>> >>>> On 10/3/2014 5:11 PM, ellis@xxxxxxxxxxx wrote: >>>>>> And how do I know what the web server can do? >>>>> >>>>> The web server *executes* PHP scripts. Most likely one or >>>>> more of those scripts has a bug that was used to write >>>>> files into your document tree. Your document tree should >>>>> not be writable but most likely is. >>>>> >>>>> -- >>>>> http://www.spinics.net/lists/ >>>>> >>>> None of my scripts do any file uploading (to the server). None. >>>> >>>> I still don't know how I can tell what permissions the web >>>> server has. >>> >>> >>> There is no requirement that your scripts (be programmed to) >>> upload files. All it takes is for you to have a poorly written >>> php script, e.g., perhaps something where you don't >>> properly/fully sanitize values you pick up from the >>> QUERY_STRING, for a hacker to be able to modify a file (assuming >>> that the file permissions are set inappropriately). >>> >>> What are the ownerships and permissions on the directories and >>> files under your web root? >>> >>> - Richard >>> >> >> You mean like '644'? >> > Yes. 644 => (Binary) 110_100_100 => > RW-(User)_R--(Group)_R--(Other) > > Only the User (owner of the files) can write the file, > but members of the owner group and all others can read it. > > Search for "man chmod" and you will get a detailed explanation of > permissions. > > Check directory permissions as well. A file can only be deleted > from or added to a directory if the the perpetrator has write > permission (as user or group or other) on the parent directory. > > Peter West > Who (what user) owns the directories and files? What user is the web server (the instance that serves your files) running as? I assume that "you" own the files (and hopefully the directories (from the top all the way down)). But in some shared environments, web server (apache generally) instances are set up for each user -- owned by the user's account. This is done for user separation and security. The problem is that if the user only has one account then the files are always owned by the same user that is running the web server and no amount of file-level control tweaking will make things secure. - Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php