Webmastersite.net
Register Log In

I've been hacked in templates dir
executable uploaded and run

Comments on I've been hacked in templates dir

maegg
Beginner

Usergroup: Customer
Joined: Jul 22, 2004

Total Topics: 1
Total Comments: 3
maegg
Posted Aug 21, 2005 - 10:45 PM:

I'm not seeing anyone else have this problem but I've experienced it. The templates directory is 777 to work but that also leaves a door open for hackers to write a script into that directory and it basically steals your bandwidth for illegal activities....that is what my vps host said and it was my conclusion before they investigated it. It completely took out my site by stealing all available bandwidth and everyone else gets a 404.

After this happening multiple times, I decided to do a complete new install and hope that something had changed so that the templates directory wasn't so open. I've tried to run it 766 but that gets the templates don't exist message so it only works wide open. The file that the hackers uploaded was one called bador and it was an executable file.

I'm giving it another go but I'm betting that darn file shows back up soon. It usually shows up within a few days of me fixing it. I've even tried to update to the newest version of php as one webmaster friend knew that some security issues were fixed in the latest version. The gallery runs great on version 5.04 if anyone is wondering.

Has anyone else had this happen or know of a prevention??? I'm at a loss on this. I run another very large website that receives millions of hits per mo. and I had to remove all programs that ran with full open directories unless they were cgi. They just kept getting hacked. I did this a long time ago and it made a huge difference.

I'm concerned I can't keep group or others from executing from that directory. I run wsnlinks on another site and never have problems there but haven't checked recently on whether permissions are the same. Any ideas on what to do? My vps host is getting a little perturbed with this and has threatened to cancel my account if I don't keep it from happening. I've once again got it up and running today. I completely scrapped my database and went with a complete new install. The site was doing great before all the hacking started but now it has lost a lot of traffic due to the problems. My forums were also hacked on that same site but a newer install fixed that problem and I was hoping the same would work here. nodraised eyebrow

Here is the newest install if anyone wants a peek. It was skinned like the forums but I dumped that wrapper and am starting over.

http://www.stockphotosphere.com/morgue
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Aug 22, 2005 - 12:14 PM:

There's no reason at all to chmod the templates directory to 777. Why would you? Nothing in the instructions suggest it, though on the other hand there's nothing actually wrong with chmoding it to 777.

Despite the number of times you repeated "templates" I'd have to guess you actually mean the attachments directory. If so, then I will note that every script that allows user uploaded files needs a 777 permission on the directory -(except on servers that use 755 for that). On a secure server, this is not a problem. Now, it could be a potential (though non-iminent) problem if you go out of your way to allow executable file types to be uploaded -- which is why 2.1x defaults to restricting allowed file types to images and 2.2x defaults to stripping the file extensions in favor of a safe .wsn extension.

I'm concerned I can't keep group or others from executing from that directory.

Even with a directory chmoded to 777, I must note, it would be absurd for a server to default the chmod value of an uploaded file to 777. Normally files are uploaded as 644, so it is impossible for a file to run regardless of the directory permissions. Of course it's better to not allow executables to be uploaded anyway just in case you chmod things yourself sometime... though even WSN's built in chmoder only makes the files 666, and there's no reason anyone should ever make a non-executable 777.

If it wasn't done through the script at all and every 777 directory on your host actually is vulnerable, switch to a decent host. Or if you're running something like phpBB that's always being hacked, perhaps a hacked phpBB simply provides the hacker full server access to do whatever they want from there and it has nothing really to do with the directories, and you should simply remove their entry point by getting rid of phpBB.

Also, since you tried a 766, read the chmod manual entry for an explanation of why that value will inevitably kill a directory. (Technically it makes it possible for only the owner to see the directory, but since the owner is not going to be coming in through a web browser nobody can see it.) I get the impression you've been chmoding things at random without taking the time to learn what chmod values mean.


Quick note on a special case: Badly secured shared hosting accounts can be vulnerable when set to 777, I believe, in that another site hosted on the same server could abuse the directory. This is solved by hosts with open_basedir if I recall correctly.
maegg
Beginner

Usergroup: Customer
Joined: Jul 22, 2004

Total Topics: 1
Total Comments: 3
maegg
Posted Aug 22, 2005 - 1:48 PM:

I've had all permissions set exactly as told in the readme. I had deleted the entire previous version... directories and all so they didn't hold their permissions.

I ran the new install and here is what I get with the templates directory set to 666

http://www.stockphotosphere.com/morgue/index.php

I can set it back to 777 and it will work. I also had to change the permissions for the directories inside the templates directory.... especially the /templates/admin or I could not access admin area. So I did not randomly change it.... I did what it took to make it work in my environment. I started with the path of least resistance.... 666... then tried 755,766.... and yes I do understand what chmod means. I've been out of diapers for awhile wink

I thought of the phpbb link too and had it completely off the site and still the gallery was hacked. They always use the same directory. Here is the last note from my host:

Your VPS has not been down at all in the past week. Your server has
> been compromised, which was causing the problems. I have removed the
> exploits from the server, so you should be able to access it now. You
> must go through every php script on your server, and ensure they are up
> to date, and can not be used to exploit your server in the future.
>
> The account that appears to be insecure is: maegg
>
> I found the exploits in:
> /home/maegg/public_html/morgue/templates
>
> Please secure every PHP script under this account. If you fail to
> secure your VPS, further exploits can be taken as a violation of our AUP.
>


that directory is the templates directory for wsngallery. I call it the morgue as that is typical for stock photos. The file was loaded directly into that directory. I have a copy of it for what it is worth. At the time that message was sent.... phpbb was completely taken down and not on the server.

According to your reply, the templates directory should work with permission 666... is that right? Mine does NOT work with that permission. It only works at 777. Right now for demonstration purposes... it is set at 666. You can see the error message. I really like the features of the gallery but I have to find a way to run it safely as it is sapping my time but my users absolutely loved it so I want to make it work. I appreciate your help.
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Aug 23, 2005 - 11:08 PM:

According to your reply, the templates directory should work with permission 666... is that right?

Again, please read the manual entry to learn what CHMOD values are and which ones can apply when. If you were familiar with CHMOD at all, you would not be asking that question, you would know that directories must be executed to be viewed.

And no, the readme does not suggest ever setting any directory to 666. Files in directories, sure. Again, read the manual.
maegg
Beginner

Usergroup: Customer
Joined: Jul 22, 2004

Total Topics: 1
Total Comments: 3
maegg
Posted Aug 24, 2005 - 1:38 PM:

Got it inspite of the painful sarcasm. I can clearly see where the problem lies and I'm sure I'm not the only one doing this. I read the readme file which say to change templates to 666 ..... I took that to mean templates directory. I totally get it now. Everytime you said read the manual i went back and read that stupid readme file again instead of the manual. My bad. It's all working now and hopefully secure. I'm still concerned as I'm not quite sure how they hacked it but they did. We will see if it happens again.
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



This thread is closed, so you cannot post a reply.