On 10/4/2014 7:52 AM, Richard wrote:
------------ Original Message ------------
Date: Saturday, October 04, 2014 13:04:53 +1000
From: Peter West <pbw@xxxxxxxxx>
To: php-general <php-general@xxxxxxxxxxxxx>
Subject: Re: Re: hacked!!
On 4 Oct 2014, at 12:51 pm, Jim Giner
<jim.giner@xxxxxxxxxxxxxxxxxx> wrote:
On 10/3/2014 8:04 PM, Richard wrote:
------------ Original Message ------------
Date: Friday, October 03, 2014 19:51:59 -0400
From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Subject: Re: Re: hacked!!
On 10/3/2014 5:11 PM, ellis@xxxxxxxxxxx wrote:
And how do I know what the web server can do?
The web server *executes* PHP scripts. Most likely one or
more of those scripts has a bug that was used to write
files into your document tree. Your document tree should
not be writable but most likely is.
--
http://www.spinics.net/lists/
None of my scripts do any file uploading (to the server). None.
I still don't know how I can tell what permissions the web
server has.
There is no requirement that your scripts (be programmed to)
upload files. All it takes is for you to have a poorly written
php script, e.g., perhaps something where you don't
properly/fully sanitize values you pick up from the
QUERY_STRING, for a hacker to be able to modify a file (assuming
that the file permissions are set inappropriately).
What are the ownerships and permissions on the directories and
files under your web root?
- Richard
You mean like '644'?
Yes. 644 => (Binary) 110_100_100 =>
RW-(User)_R--(Group)_R--(Other)
Only the User (owner of the files) can write the file,
but members of the owner group and all others can read it.
Search for "man chmod" and you will get a detailed explanation of
permissions.
Check directory permissions as well. A file can only be deleted
from or added to a directory if the the perpetrator has write
permission (as user or group or other) on the parent directory.
Peter West
Who (what user) owns the directories and files? What user is the web
server (the instance that serves your files) running as?
I assume that "you" own the files (and hopefully the directories
(from the top all the way down)). But in some shared environments,
web server (apache generally) instances are set up for each user --
owned by the user's account. This is done for user separation and
security. The problem is that if the user only has one account then
the files are always owned by the same user that is running the web
server and no amount of file-level control tweaking will make things
secure.
- Richard
My files all seem to have a 644 for permissions. My public_html (root)
folder show attribute of
(using Filezilla)
owner - r/w/e
group - r/w/e
public - r/w/e
with a numeric value field showing 'xxx'
My sub-folders of that seem to be different and I don't know why that is:
owner - r/w/e
group - r/e
public - r/e
with a numeric value of 755.
The public_html settings are apparently(?) disabled since the screen
shows them in a shaded color.
So - are all of these correct?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php