Security breach

[edhan]

My clients have installed programs on the web server that needs to give 777 permission. After checking, we discover that it has opened an opportunity for hacker to upload their spam files and have control over the server.

Is there any way of protecting the server where 777 permission is needed?

[99debra99]

You can try password protecting the file.

This can be done in your control panel of your hosting.

[edhan]

The file needs to be written by the script, password protect will prevent it from updating.

I am wondering how the person can exploit it and upload files into the server.

[mikesmith76]

just a quick note, you never need to set the permissions of any file / directory to 777 just to update them from php. Find out what user the script is running under and change the owner of the file in question, then you can set more restrictive permissions.

[edhan]

I will check with him. He is using those CMS program where it is needed to set 777. I too have used some of those CMS program and also needs to set as 777. I did try to using 755 instead but it didn't work. So I have to set it as 777.

[wige]

777 is usually not needed, and is typically recommended because it is easier than painstakingly going through and manually setting up individual permissions. Note also, setting the permissions to 777 can make the FILE vulnerable, but not the system. If an unauthorized user modified the file that was set as 777, they comprimised another service on the server first. Fix the permissions, yes, but also do a security audit ASAP to find what else got compromised. It may be something as simple as closing a port, or as bad as a script that does not do enough validation.

[edhan]

As I am not a programmer so I can't really help much. Most of the BBs scripts require 777 permission for upload folder and cache folder. These are 3rd party software and it is stated in the install instructions to have the permission set 777 therefore leaving us no choice but to follow. Unless we do not want to use those scripts otherwise there is no other alternative. Do you know of any good scripts that does not require setting of 777?

[wige]

My point is more that setting the file as 777 is not, in and of itself, a security hole. All the 777 setting does is say that any process or user on the computer/server can view/edit/delete the file. If a malicious user made changes, there are two possible reasons. Either the program that is intended to edit the file did a bad job of checking the data it was writing and allowed the bad data, or something else on your server has been attacked, and because of the 777 setting, the attacker was able to modify the file.

In most configurations, you want things like bulletin board files and log files to only be editeable by one or two programs - the ones that actually generate the forum or log the events - to prevent attackers from modifying the files after an attack. Developers often take a more lax approach to non-critical files, giving up a small amount of security in exchange for a program that is easier to install. In these cases, you can usually set the permissions to be more restrictive, even if the program's documentation indicates otherwise. You simply have to have a good working knowledge of the program and the operating system to set it up just right.

The primary concern at this point should be to determine how the file was modified, to prevent future issues. Unfortunately, since the file was set to 777, any service could have been used to make the changes. A security audit should be able to determine possible points of attack, though.

[edhan]

Yes, I do agree that 777 permission expose to danger. But unfortunately most of the bbs script requires such setting. On several occasions, I attempt to change it to 666 or 755 but still without success. Therefore I am wondering since these scripts allow it to set 777, is there any way we can avoid being attack or how do we monitor if there is an attack being done?

[wige]

Typically, what happens is you own or rent an off-site server that you upload your files to with FTP. The web server (usually Apache) then runs the forum scripts which try to edit the files you uploaded. The FTP program has one username, and the webserver has another. Unless the file you uploaded (which has an owner of your username, typically) is set to 777, the web server can't make the needed changes. Most servers, Apache uses the username and group "apache". If you have command line access (such as telnet) to the server, you can change the owner of the file using the chown command. After you upload the bbs files, chown them all so they are owned by the web server. That way the server can edit them as needed. HOWEVER, before you change the owner, use chmod and make sure read is set to all (7). Otherwise, after you change the owner, your FTP user will not be able to download the file. Also bear in mind, this change is final, you will not be able to delete or edit the file directly. You would actually have to create a script and upload it, and have the server delete the file.

As far as identifying the attack, this depends on the server and the method of the attack. What type of file was altered - a configuration file, a log, or a file containing bulletin board text? Also, do you have a shared or dedicated server, or is this a server you own?

[Vectorman211]

The code in the script is handling the exception if it detects that the perms are not 0777. I would find this code and change it because there is NEVER a reason to set any file to 0777, ESPECIALLY directories.

Try this though:

chown username.apache /path_to_directory
chmod 0664 /path_to_directory

Where username = your username and path_to_directory = ....duh.

I don't think you'll need execute permissions right?

It is possible that apache does not run as the username apache on your webhost but in most cases it is.