Attempted hack, need CHMod advice urgently

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Get Involved
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
Locked
User avatar
Acorn
Registered User
Posts: 402
Joined: Tue Sep 26, 2006 8:11 am
Location: UK
Contact:

Attempted hack, need CHMod advice urgently

Post by Acorn »

It seems that someone has tried to hack my site by adding a .htaccess file to every folder with public write permissions, trying to redirect to a file containing (I think) a trojan.

I am going through removing the rogue files, but I would really appreciate some advice on which folders require a 777 permission. I understand that the cache folder does, and presumably the avatar uploads, and the files folder.

Anything else you can tell me that might be helpful would be really welcome.

Oh - FYI the hacking site was funnysignage.com and I have what I believe to be their ip address. I added a 'deny from xxx.xxx.xxx.xxx' line to my proper .htaccess file - presumably that was a good idea?
Getting braver all the time. :D
User avatar
KevC
Support Team Member
Support Team Member
Posts: 70432
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Attempted hack, need CHMod advice urgently

Post by KevC »

Knowledge Base - phpBB3 Chmod Permissions

If your FTP has been compromised you should ask your hosts to look at it.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"
User avatar
Acorn
Registered User
Posts: 402
Joined: Tue Sep 26, 2006 8:11 am
Location: UK
Contact:

Re: Attempted hack, need CHMod advice urgently

Post by Acorn »

Brilliant - thank you. There was nothing wrong with the permissions I'm glad to say, other than in one image folder that wasn't connected with the forum.

Is it likely to be our hosts fault that the hackers were able to get in, or is it possible that we have done something? As they've only written to 777 folders they clearly haven't had full FTP access.
Getting braver all the time. :D
User avatar
KevC
Support Team Member
Support Team Member
Posts: 70432
Joined: Fri Jun 04, 2004 10:44 am
Location: Oxford, UK
Contact:

Re: Attempted hack, need CHMod advice urgently

Post by KevC »

If folders being 777 was unsafe then we wouldn't have them so it suggests something host side. They should at least be able to look at the logs and see when the files were uploaded and from where.
-:|:- Support Request Template -:|:-
Image
Cheap UK Hosting
"In the land of the blind the little green bloke with no pupils is king - init!"
narqelion
I've Been Banned!
Posts: 7235
Joined: Sat Dec 13, 2008 5:00 pm
Contact:

Re: Attempted hack, need CHMod advice urgently

Post by narqelion »

http://www.phpbb.com/community/viewtopi ... #p12845508

I would urge you to never use 777 unless your webhost does not have PHP configured to run as you, in most cases 755 is fine these days and much more secure. Your having those folders set to 777 is what allowed them to be written to by the hacker. I installed my first phpBB board back in 2003, version 2.0.something and I've never needed to set any folders to 777 for it to work. :)
User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10423
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: Attempted hack, need CHMod advice urgently

Post by Noxwizard »

If the server is configured properly, then 777 is fine. If your configuration allows lowering it to 755, that's fine too. If the attack was caused be some other vulnerable script on your account, having it at 755 wouldn't have helped. If there are no other scripts and files are still being written, then your host needs to look into it as files are probably being written across the entire box. Without looking at logs, everything at this point is pure speculation and should be treated as such. As with all incidents, please continue this discussion in the Incident Tracker if you have further questions.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.
Locked

Return to “[3.0.x] Support Forum”