Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
how hackers are injecting code to the website ?
Some times some of my websites are hacked by hackers.
Somehow they are modifying the files by injecting some codes.
How hackers are injecting the codes to the site ?
What technique they are using to modify the files ?
Some where I read that the files / folders with full permissions has high possibility to get hacked.
How a hacker modify the file which is having the write access.?
I have Lots of questions regarding this. Please help me to clear my doubts..
Here's a few:
- lack of proper knowledge to run and admin Linux "the Linux way" (often the first symptom is the "admin" using a web-based management panel),
- running outdated, vulnerable software versions (think CMS, web log, forum, shopping cart, statistics package or plugin),
- OS misconfiguration (like using root to SSH or SCP or FTP files over),
- software misconfiguration (like giving web content or upload directories octal mode 777 access rights),
- not cleaning up installation files after the installation,
- unprotected admin files or directories (like /phpadmin),
- running a web site on an already compromised shared host,
- leeched FTP and other credentials of editors.
If you want answers suitable for your specific situation please be specific and verbose when asking questions.
Code can be injected by creating a remote shell. A remote shell can be created by using an open port on your computer. A hacker can more easily modify a file with 777 permissions because anybody with access to the computer can get into that file; thus, even if the remote shell that the hacker is in doesn't give him root access he can still read and write to that file. To help keep a hacker from getting a remote shell to your computer you need to close all ports that your computer doesn't need. Hope this helps!
These are the wrong permissions to start with! It would be a serious error as it allow anyone to write to or execute such files. 0640 or 0644 should do.
Quote:
Originally Posted by nixonp
what technique is using to insert the code to that file ?
Often it's written into .php or include files but it kind of depends on what the product or environment allows.
It would be better (safe for others, efficient) if you start by checking the practices and software versions of your "hacked web sites" and take it from there: in the end the method should not be leading but how to fix things.
Then is it possible to inject the code to this file ? If yes, how ?
Yes, it is possible to inject code into this file. This can be done via a remote shell through a port on your Server or PC. A hacker's first step would be to scan your ip address using nessus or some similar tool. If he finds an open port that is exploitable, then he can break into your computer. At this point he can see all of the files in whatever user account that port opens to. He can now edit all files with octal codes that are set to 777 and 666. He can also view and write to all files that belong to that users group if the octal codes are 777,666,664,755,and 660. If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.
If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.
I suggest you read up on things before posting such "advice". TCP/80 needs to be open to serve web content and the port being open itself isn't the biggest threat.
Yes, it is possible to inject code into this file. This can be done via a remote shell through a port on your Server or PC. A hacker's first step would be to scan your ip address using nessus or some similar tool. If he finds an open port that is exploitable, then he can break into your computer. At this point he can see all of the files in whatever user account that port opens to. He can now edit all files with octal codes that are set to 777 and 666. He can also view and write to all files that belong to that users group if the octal codes are 777,666,664,755,and 660. If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.
No, definitely not enough to set permissions to 777 to allow injection. From the other side if someone was able to open a remote shell (that could be a security hole) he could also be able to modify that file (and in case he could have root access he would not need 777 or 666 to inject anything).
The main goal is to protect your host, not only your files.
I have always used 755 for directories, and 644 for files. Never had an issue.
Indeed with such settings you shouldn't have read / write issues.
The more important point is warning people one sees fscking things up good because they don't understand Linux basics, because some stupid vendor, web log or HOWTO web site told them or because of untruths are propagated elsewhere. In this respect access permissions aren't the overarching reason for i-frame injections but a misunderstanding or neglect of one of the core tenets of UNIX: the least privilege principle. More than that voicing misconceptions distracts from the real priority here and that is to point the OP to actions to perform. Unfortunately the OP hasn't returned since post #10 so I can only hope he understood what he should do.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.