Re: Re: hacked!!

[Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>]

On 10/4/2014 7:52 AM, Richard wrote:
> ------------ Original Message ------------
> > Date: Saturday, October 04, 2014 13:04:53 +1000
> > From: Peter West <pbw@xxxxxxxxx>
> > To: php-general <php-general@xxxxxxxxxxxxx>
> > Subject: Re:  Re: hacked!!
> > >
> > On 4 Oct 2014, at 12:51 pm, Jim Giner
> > <jim.giner@xxxxxxxxxxxxxxxxxx> wrote:
> >
> > > On 10/3/2014 8:04 PM, Richard wrote:
> > > > ------------ Original Message ------------
> > > > > Date: Friday, October 03, 2014 19:51:59 -0400
> > > > > From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
> > > > > To: php-general@xxxxxxxxxxxxx
> > > > > Subject: Re:  Re: hacked!!
> > > > >
> > > > > On 10/3/2014 5:11 PM, ellis@xxxxxxxxxxx wrote:
> > > > > > > And how do I know what the web server can do?
> > > > > >
> > > > > > The web server *executes* PHP scripts. Most likely one or
> > > > > > more of those scripts has a bug that was used to write
> > > > > > files into your document tree. Your document tree should
> > > > > > not be writable but most likely is.
> > > > > >
> > > > > > --
> > > > > > http://www.spinics.net/lists/
> > > > > None of my scripts do any file uploading (to the server).  None.
> > > > >
> > > > > I still don't know how I can tell what permissions the web
> > > > > server has.
> > > >
> > > >
> > > > There is no requirement that your scripts (be programmed to)
> > > > upload files. All it takes is for you to have a poorly written
> > > > php script, e.g., perhaps something where you don't
> > > > properly/fully sanitize values you pick up from the
> > > > QUERY_STRING, for a hacker to be able to modify a file (assuming
> > > > that the file permissions are set inappropriately).
> > > >
> > > > What are the ownerships and permissions on the directories and
> > > > files under your web root?
> > > >
> > > >      - Richard
> > >
> > > You mean like '644'?
>
> > Yes.  644 => (Binary) 110_100_100 =>
> > RW-(User)_R--(Group)_R--(Other)
> >
> > Only the User (owner of the files)  can write the file,
> > but members of the owner group and all others can read it.
> >
> > Search for "man chmod" and you will get a detailed explanation of
> > permissions.
> >
> > Check directory permissions as well.  A file can only be deleted
> > from or added to a directory if the the perpetrator has write
> > permission (as user or group or other) on the parent directory.
> >
> > Peter West
>
>
> Who (what user) owns the directories and files? What user is the web
> server (the instance that serves your files) running as?
>
> I assume that "you" own the files (and hopefully the directories
> (from the top all the way down)). But in some shared environments,
> web server (apache generally) instances are set up for each user --
> owned by the user's account. This is done for user separation and
> security. The problem is that if the user only has one account then
> the files are always owned by the same user that is running the web
> server and no amount of file-level control tweaking will make things
> secure.
>
>       - Richard
My files all seem to have a 644 for permissions.  My public_html (root) 
folder show attribute of

(using Filezilla)

owner - r/w/e
group - r/w/e
public - r/w/e

with a numeric value field showing 'xxx'

My sub-folders of that seem to be different and I don't know why that is:

owner - r/w/e
group - r/e
public - r/e

with a numeric value of 755.

The public_html settings are apparently(?) disabled since the screen 
shows them in a shaded color.

So - are all of these correct?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php