2

On of my client approached me to check and fix the hacked site. Site was developed by another developer , Very inexperienced developer not even basic security taken care of.

Well the problem was somehow PHP files were written to the images folder. Hackers also wrote an index.html which displays site is hacked. When I check images folder has 777 permissions. So I came to rough conclusion that its because of folder permissions. Hosting support guy says that some PHP file has poorly written scripts which allowed any extension file to upload to server, and then hackers executed files to gain access or do whatever they want.

I have few questions:

  • Is it only through upload functionality can we upload other PHP files ? Is it not possible other way to write files from remote as folder permissions are 777?
  • Sit has some fckeditors editors and couple of upload functionalities. I checked them, there are enough validations , so when extensions other then images or PDF are tried to upload they just return false .
  • Does'nt setting folder permissions to lower level fix the issue?

I asked the support guy to change folder permissions and it would solve the issue, but he says there is some PHP file through of which other PHP files were written and he wants that to be fixed otherwise site cannot go live. He says even folder permissions are changed hacker can again change them to 777 and execute whatever he wants because that poorly written PHP file.

How should be my approach to find if there is such PHP file? Any help or pointers would be much appreciated.

AstroCB
  • 12,337
  • 20
  • 57
  • 73
KA.
  • 4,220
  • 5
  • 26
  • 37
  • 6
    If they were able to run PHP code on the server, you can't trust any of your files on there anymore. Restore from a safe uncompromised backup. – kittycat Feb 28 '13 at 14:51
  • 1
    ok! restoring from backup help original files which are not corrupted by hackers. That is a great advice. Thank you. But How can I find / locate actual poor code which was the reason in the first place? – KA. Feb 28 '13 at 15:15
  • 1
    @Kiran Take a look at the forms that allow users to upload files or use in-site editors to write code. You can restrict the filetypes with either (or both) the [javascript](http://stackoverflow.com/questions/4328947/limit-file-format-when-using-input-type-file) and/or [PHP](http://stackoverflow.com/questions/7897576/restrict-file-type-and-size-in-php-form-upload). (sorry about the edits!) – Gaʀʀʏ Feb 28 '13 at 15:24
  • It's more likely that someone uploaded a malicious PHP file - having a malicious user with a legitimate account (thus accessing your upload folder through xx7 permissions) is much less likely, imo. – halfer Feb 28 '13 at 15:51

5 Answers5

2

777 means that any user on the system (with execute access for all the parent directories, anyway) can add anything to that directory. Web users are not system users, though, and most web servers (Apache included) won't let random clients write files there right out of the box. You'd have to specifically tell the server to allow that, and i'm fairly certain that's not what happened.

If you're allowing any file uploads, though, the upload folder needs to at least be writable by the web server's user (or the site's, if you're using something like suPHP). And if the web server can write to that directory, then any PHP code can write to that directory. You can't set permissions high enough to allow uploads and low enough to keep PHP code from running, short of making the directory write-only (which makes it pretty useless for fckeditor and such).

The compromise almost certainly happened because of a vulnerability in the site itself. Chances are, either there's a file upload script that's not properly checking where it's writing to, or a script that blindly accepts a name of something to include. Since the PHP code typically runs as the web server's user, it has write access to everything the web server has write access to. (It's also possible that someone got in via FTP, in which case you'd better change your passwords. But the chances of the web server being at fault are slim at best.)

As for what to do at this point, the best option is to wipe the site and restore from backup -- as has been mentioned a couple of times, once an attacker has gotten arbitrary code to run on your server, there's not a whole lot you can trust anymore. If you can't do that, at least find any files with recent modification times and delete them. (Exploits hardly ever go through that much trouble to cover their tracks.)

Either way, then set the permissions on any non-upload, non-temp, non-session directories -- and all the existing scripts -- to disallow writes, period...particularly by the web server. If the site's code runs as the same user that owns the files, you'll want to use 555 for directories and 444 for files; otherwise, you can probably get by with 755/644. (A web server would only be able to write those if it's horribly misconfigured, and a hosting company that incompetent would be out of business very quickly.)

Frankly, though, the "support guy" has the right idea -- i certainly wouldn't let a site go live on my servers knowing that it's going to be executing arbitrary code from strangers. (Even if it can't write anything to the local filesystem, it can still be used to launch an attack on other servers.) The best option for now is to remove all ability to upload files for now. It's obvious that someone has no idea how to handle file uploads securely, and now that someone out there knows you're vulnerable, chances are you'd keep getting hacked anyway til you find the hole and plug it.

As for what to look for...unfortunately, it's semi vague, as we're talking about concepts above the single-statement level. Look for any PHP scripts that either include, require, or write to file names derived in any way from $_GET, $_POST, or $_COOKIE.

cHao
  • 84,970
  • 20
  • 145
  • 172
1

Changing folder permissions won’t solve the issue unless you’re using CGI, since PHP probably needs to be able to write to an upload folder, and your web server probably needs to be able to read from it. Check the extension of any uploaded files!

(So no, 0777 permissions don’t mean that anyone can upload anything.)

Ry-
  • 218,210
  • 55
  • 464
  • 476
1

As cryptic mentioned, once a hacker can run code on your server then you have to assume that all files are potentially dangerous. You should not try to fix this yourself - restoring from a backup (either from the client or the original developer) is the only safe way around this.

Once you have the backup files ready, delete everything on your your site and upload the backup - if it is a shared host you should contact them as well in case other files are compromised [rarely happens though].

acutesoftware
  • 1,091
  • 3
  • 14
  • 33
  • I think it is shared hosting and support guys are not very friendly. Yes I knew that if they can run PHP script they can do damage more then what they did . I am aware of that. I am not sure if there is a safe backup . I will enquire the client. what should be my approach if there are no backups. – KA. Feb 28 '13 at 15:05
1

You've identified 2 issues: the permissions and the lack of extension checking however have you any evidence that these were the means by which the system was compromised? You've not provided anything to support this assertion.

Changing the permissions to something more restrictive would have provided NO PROTECTION against users uploading malicious PHP scripts.

Checking the extensions of files might have a made it a bit more difficult to inject PHP code into the site, it WOULD NOT PREVENT IT.

Restoring from backup might remove the vandalized content but WILL NOT FIX THE VULNERABILITIES in the code.

You don't have the skills your client (whom is probably paying you for this) needs to resolve this. And acquiring those skills is a much longer journey than reading a few answers here (although admittedly it's a start).

symcbean
  • 47,736
  • 6
  • 59
  • 94
1

Is it only through upload functionality can we upload other PHP files ? Is it not possible other way to write files from remote as folder permissions are 777?

There definitely are multiple possible ways to write a file in the web server’s document root directory. Just think of HTTP’s PUT method, WebDAV, or even FTP that may be accessible anonymously.

Sit has some fckeditors editors and couple of upload functionalities. I checked them, there are enough validations , so when extensions other then images or PDF are tried to upload they just return false .

There are many things one can do wrong when validating an uploaded file. Trusting the reliability of information the client sent is one of the biggest mistakes one can do. This means, it doesn’t suffice to check whether the client says the uploaded file is an image (e.g. one of image/…). Such information can be easily forged. And even proper image files can contain PHP code that is being executed when interpreted by PHP, whether it’s in an optional section like a comment section or in the image data itself.

Does'nt setting folder permissions to lower level fix the issue?

No, probably not. The upload directory must be writable by PHP’s and readable by the web server’s process. Since both are probably the same and executing a PHP file requires only reading permissions, any uploaded .php file is probably also executable. The only solution is to make sure that the stored files don’t have any extension that denote files that are executed by the web server, i.e. make sure a PNG is actually stored as .png.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844