LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   how hackers hacking the website ? (http://www.linuxquestions.org/questions/linux-security-4/how-hackers-hacking-the-website-4175442170/)

nixonp 12-19-2012 10:27 AM

how hackers hacking the website ?
 
how hackers are injecting code to the website ?
Some times some of my websites are hacked by hackers.
Somehow they are modifying the files by injecting some codes.
How hackers are injecting the codes to the site ?
What technique they are using to modify the files ?

Some where I read that the files / folders with full permissions has high possibility to get hacked.
How a hacker modify the file which is having the write access.?

I have Lots of questions regarding this. Please help me to clear my doubts..

unSpawn 12-19-2012 10:53 AM

Here's a few:
- lack of proper knowledge to run and admin Linux "the Linux way" (often the first symptom is the "admin" using a web-based management panel),
- running outdated, vulnerable software versions (think CMS, web log, forum, shopping cart, statistics package or plugin),
- OS misconfiguration (like using root to SSH or SCP or FTP files over),
- software misconfiguration (like giving web content or upload directories octal mode 777 access rights),
- not cleaning up installation files after the installation,
- unprotected admin files or directories (like /phpadmin),
- running a web site on an already compromised shared host,
- leeched FTP and other credentials of editors.

If you want answers suitable for your specific situation please be specific and verbose when asking questions.

nixonp 12-19-2012 11:36 AM

if a file having 666 or 777 permission, how a hacker updating that particular file ?
what technique is using to insert the code to that file ?

Nbiser 12-19-2012 12:13 PM

Code can be injected by creating a remote shell. A remote shell can be created by using an open port on your computer. A hacker can more easily modify a file with 777 permissions because anybody with access to the computer can get into that file; thus, even if the remote shell that the hacker is in doesn't give him root access he can still read and write to that file. To help keep a hacker from getting a remote shell to your computer you need to close all ports that your computer doesn't need. Hope this helps!

pan64 12-19-2012 12:22 PM

setting permissions to 777 (or 666) itself is safe, it is not a problem. But a hacker (if he was already inside) can easily modify those files/dirs.

unSpawn 12-19-2012 12:30 PM

Quote:

Originally Posted by nixonp (Post 4853009)
if a file having 666 or 777 permission

These are the wrong permissions to start with! It would be a serious error as it allow anyone to write to or execute such files. 0640 or 0644 should do.


Quote:

Originally Posted by nixonp (Post 4853009)
what technique is using to insert the code to that file ?

Often it's written into .php or include files but it kind of depends on what the product or environment allows.


It would be better (safe for others, efficient) if you start by checking the practices and software versions of your "hacked web sites" and take it from there: in the end the method should not be leading but how to fix things.

unSpawn 12-19-2012 12:35 PM

Quote:

Originally Posted by pan64 (Post 4853039)
setting permissions to 777 (or 666) itself is safe, it is not a problem.

No it is not safe and it is not a best practice.

nixonp 12-19-2012 01:42 PM

I have a small doubt.
Just Imagine a situation.

1. I created a file in my domain http://example.com/test.html
2. and I given 777 permission for test.html

Then is it possible to inject the code to this file ? If yes, how ?

unSpawn 12-19-2012 02:25 PM

Quote:

Originally Posted by nixonp (Post 4852963)
Some times some of my websites are hacked by hackers.
Somehow they are modifying the files by injecting some codes.

These are clear questions with a clear cause and a clear solution.
I suggest you stop prevaricating and address the cause.

NyteOwl 12-19-2012 02:25 PM

That would be publishing an exploit which is against LQ rules ;)

Nbiser 12-19-2012 07:57 PM

Quote:

Originally Posted by nixonp (Post 4853086)
I have a small doubt.
Just Imagine a situation.

1. I created a file in my domain http://example.com/test.html
2. and I given 777 permission for test.html

Then is it possible to inject the code to this file ? If yes, how ?

Yes, it is possible to inject code into this file. This can be done via a remote shell through a port on your Server or PC. A hacker's first step would be to scan your ip address using nessus or some similar tool. If he finds an open port that is exploitable, then he can break into your computer. At this point he can see all of the files in whatever user account that port opens to. He can now edit all files with octal codes that are set to 777 and 666. He can also view and write to all files that belong to that users group if the octal codes are 777,666,664,755,and 660. If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.

unSpawn 12-19-2012 09:04 PM

Quote:

Originally Posted by Nbiser (Post 4853338)
If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.

I suggest you read up on things before posting such "advice". TCP/80 needs to be open to serve web content and the port being open itself isn't the biggest threat.

pan64 12-20-2012 04:36 AM

Quote:

Originally Posted by Nbiser (Post 4853338)
Yes, it is possible to inject code into this file. This can be done via a remote shell through a port on your Server or PC. A hacker's first step would be to scan your ip address using nessus or some similar tool. If he finds an open port that is exploitable, then he can break into your computer. At this point he can see all of the files in whatever user account that port opens to. He can now edit all files with octal codes that are set to 777 and 666. He can also view and write to all files that belong to that users group if the octal codes are 777,666,664,755,and 660. If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.


No, definitely not enough to set permissions to 777 to allow injection. From the other side if someone was able to open a remote shell (that could be a security hole) he could also be able to modify that file (and in case he could have root access he would not need 777 or 666 to inject anything).
The main goal is to protect your host, not only your files.

Habitual 12-20-2012 07:29 AM

Quote:

Originally Posted by unSpawn (Post 4853048)
No it is not safe and it is not a best practice.

I have always used 755 for directories, and 644 for files. Never had an issue.

unSpawn 12-20-2012 08:27 AM

Quote:

Originally Posted by Habitual (Post 4853657)
I have always used 755 for directories, and 644 for files. Never had an issue.

Indeed with such settings you shouldn't have read / write issues.

The more important point is warning people one sees fscking things up good because they don't understand Linux basics, because some stupid vendor, web log or HOWTO web site told them or because of untruths are propagated elsewhere. In this respect access permissions aren't the overarching reason for i-frame injections but a misunderstanding or neglect of one of the core tenets of UNIX: the least privilege principle. More than that voicing misconceptions distracts from the real priority here and that is to point the OP to actions to perform. Unfortunately the OP hasn't returned since post #10 so I can only hope he understood what he should do.


All times are GMT -5. The time now is 10:33 AM.