Attempted hack, need CHMod advice urgently

Acorn · Post by **Acorn** » Sat Oct 09, 2010 9:56 pm

It seems that someone has tried to hack my site by adding a .htaccess file to every folder with public write permissions, trying to redirect to a file containing (I think) a trojan.

I am going through removing the rogue files, but I would really appreciate some advice on which folders require a 777 permission. I understand that the cache folder does, and presumably the avatar uploads, and the files folder.

Anything else you can tell me that might be helpful would be really welcome.

Oh - FYI the hacking site was funnysignage.com and I have what I believe to be their ip address. I added a 'deny from xxx.xxx.xxx.xxx' line to my proper .htaccess file - presumably that was a good idea?

Post by **KevC** » Sat Oct 09, 2010 10:00 pm

Knowledge Base - phpBB3 Chmod Permissions

If your FTP has been compromised you should ask your hosts to look at it.

Acorn · Post by **Acorn** » Sat Oct 09, 2010 10:21 pm

Brilliant - thank you. There was nothing wrong with the permissions I'm glad to say, other than in one image folder that wasn't connected with the forum.

Is it likely to be our hosts fault that the hackers were able to get in, or is it possible that we have done something? As they've only written to 777 folders they clearly haven't had full FTP access.

Post by **KevC** » Sat Oct 09, 2010 10:27 pm

If folders being 777 was unsafe then we wouldn't have them so it suggests something host side. They should at least be able to look at the logs and see when the files were uploaded and from where.

narqelion · Post by **narqelion** » Sat Oct 09, 2010 11:16 pm

http://www.phpbb.com/community/viewtopi ... #p12845508

I would urge you to never use 777 unless your webhost does not have PHP configured to run as you, in most cases 755 is fine these days and much more secure. Your having those folders set to 777 is what allowed them to be written to by the hacker. I installed my first phpBB board back in 2003, version 2.0.something and I've never needed to set any folders to 777 for it to work.

Post by **Noxwizard** » Sun Oct 10, 2010 4:45 am

If the server is configured properly, then 777 is fine. If your configuration allows lowering it to 755, that's fine too. If the attack was caused be some other vulnerable script on your account, having it at 755 wouldn't have helped. If there are no other scripts and files are still being written, then your host needs to look into it as files are probably being written across the entire box. Without looking at logs, everything at this point is pure speculation and should be treated as such. As with all incidents, please continue this discussion in the Incident Tracker if you have further questions.

advertisements