LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-19-2012, 10:27 AM   #1
nixonp
LQ Newbie
 
Registered: Apr 2012
Posts: 5

Rep: Reputation: Disabled
how hackers hacking the website ?


how hackers are injecting code to the website ?
Some times some of my websites are hacked by hackers.
Somehow they are modifying the files by injecting some codes.
How hackers are injecting the codes to the site ?
What technique they are using to modify the files ?

Some where I read that the files / folders with full permissions has high possibility to get hacked.
How a hacker modify the file which is having the write access.?

I have Lots of questions regarding this. Please help me to clear my doubts..
 
Old 12-19-2012, 10:53 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Here's a few:
- lack of proper knowledge to run and admin Linux "the Linux way" (often the first symptom is the "admin" using a web-based management panel),
- running outdated, vulnerable software versions (think CMS, web log, forum, shopping cart, statistics package or plugin),
- OS misconfiguration (like using root to SSH or SCP or FTP files over),
- software misconfiguration (like giving web content or upload directories octal mode 777 access rights),
- not cleaning up installation files after the installation,
- unprotected admin files or directories (like /phpadmin),
- running a web site on an already compromised shared host,
- leeched FTP and other credentials of editors.

If you want answers suitable for your specific situation please be specific and verbose when asking questions.
 
Old 12-19-2012, 11:36 AM   #3
nixonp
LQ Newbie
 
Registered: Apr 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
if a file having 666 or 777 permission, how a hacker updating that particular file ?
what technique is using to insert the code to that file ?
 
Old 12-19-2012, 12:13 PM   #4
Nbiser
Member
 
Registered: Oct 2012
Location: Maryland
Distribution: Fedora, Slackware, Debian, Ubuntu, Knoppix, Helix,
Posts: 279
Blog Entries: 7

Rep: Reputation: 41
Code can be injected by creating a remote shell. A remote shell can be created by using an open port on your computer. A hacker can more easily modify a file with 777 permissions because anybody with access to the computer can get into that file; thus, even if the remote shell that the hacker is in doesn't give him root access he can still read and write to that file. To help keep a hacker from getting a remote shell to your computer you need to close all ports that your computer doesn't need. Hope this helps!
 
Old 12-19-2012, 12:22 PM   #5
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,516

Rep: Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222
setting permissions to 777 (or 666) itself is safe, it is not a problem. But a hacker (if he was already inside) can easily modify those files/dirs.
 
Old 12-19-2012, 12:30 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by nixonp View Post
if a file having 666 or 777 permission
These are the wrong permissions to start with! It would be a serious error as it allow anyone to write to or execute such files. 0640 or 0644 should do.


Quote:
Originally Posted by nixonp View Post
what technique is using to insert the code to that file ?
Often it's written into .php or include files but it kind of depends on what the product or environment allows.


It would be better (safe for others, efficient) if you start by checking the practices and software versions of your "hacked web sites" and take it from there: in the end the method should not be leading but how to fix things.
 
Old 12-19-2012, 12:35 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by pan64 View Post
setting permissions to 777 (or 666) itself is safe, it is not a problem.
No it is not safe and it is not a best practice.
 
Old 12-19-2012, 01:42 PM   #8
nixonp
LQ Newbie
 
Registered: Apr 2012
Posts: 5

Original Poster
Rep: Reputation: Disabled
I have a small doubt.
Just Imagine a situation.

1. I created a file in my domain http://example.com/test.html
2. and I given 777 permission for test.html

Then is it possible to inject the code to this file ? If yes, how ?
 
Old 12-19-2012, 02:25 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by nixonp View Post
Some times some of my websites are hacked by hackers.
Somehow they are modifying the files by injecting some codes.
These are clear questions with a clear cause and a clear solution.
I suggest you stop prevaricating and address the cause.
 
Old 12-19-2012, 02:25 PM   #10
NyteOwl
Member
 
Registered: Aug 2008
Location: Nova Scotia, Canada
Distribution: Slackware, OpenBSD, others periodically
Posts: 512

Rep: Reputation: 138Reputation: 138
That would be publishing an exploit which is against LQ rules
 
Old 12-19-2012, 07:57 PM   #11
Nbiser
Member
 
Registered: Oct 2012
Location: Maryland
Distribution: Fedora, Slackware, Debian, Ubuntu, Knoppix, Helix,
Posts: 279
Blog Entries: 7

Rep: Reputation: 41
Quote:
Originally Posted by nixonp View Post
I have a small doubt.
Just Imagine a situation.

1. I created a file in my domain http://example.com/test.html
2. and I given 777 permission for test.html

Then is it possible to inject the code to this file ? If yes, how ?
Yes, it is possible to inject code into this file. This can be done via a remote shell through a port on your Server or PC. A hacker's first step would be to scan your ip address using nessus or some similar tool. If he finds an open port that is exploitable, then he can break into your computer. At this point he can see all of the files in whatever user account that port opens to. He can now edit all files with octal codes that are set to 777 and 666. He can also view and write to all files that belong to that users group if the octal codes are 777,666,664,755,and 660. If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.
 
Old 12-19-2012, 09:04 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by Nbiser View Post
If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.
I suggest you read up on things before posting such "advice". TCP/80 needs to be open to serve web content and the port being open itself isn't the biggest threat.
 
Old 12-20-2012, 04:36 AM   #13
pan64
Senior Member
 
Registered: Mar 2012
Location: Hungary
Distribution: debian i686 (solaris)
Posts: 4,516

Rep: Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222Reputation: 1222
Quote:
Originally Posted by Nbiser View Post
Yes, it is possible to inject code into this file. This can be done via a remote shell through a port on your Server or PC. A hacker's first step would be to scan your ip address using nessus or some similar tool. If he finds an open port that is exploitable, then he can break into your computer. At this point he can see all of the files in whatever user account that port opens to. He can now edit all files with octal codes that are set to 777 and 666. He can also view and write to all files that belong to that users group if the octal codes are 777,666,664,755,and 660. If your server is compromised, you need to run a port scan yourself, and then go into your server and close all ports, processes, and daemons that you don't need.

No, definitely not enough to set permissions to 777 to allow injection. From the other side if someone was able to open a remote shell (that could be a security hole) he could also be able to modify that file (and in case he could have root access he would not need 777 or 666 to inject anything).
The main goal is to protect your host, not only your files.
 
Old 12-20-2012, 07:29 AM   #14
Habitual
Senior Member
 
Registered: Jan 2011
Distribution: Slack14_64_Multilib
Posts: 3,079
Blog Entries: 4

Rep: Reputation: 745Reputation: 745Reputation: 745Reputation: 745Reputation: 745Reputation: 745Reputation: 745
Quote:
Originally Posted by unSpawn View Post
No it is not safe and it is not a best practice.
I have always used 755 for directories, and 644 for files. Never had an issue.
 
Old 12-20-2012, 08:27 AM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756Reputation: 2756
Quote:
Originally Posted by Habitual View Post
I have always used 755 for directories, and 644 for files. Never had an issue.
Indeed with such settings you shouldn't have read / write issues.

The more important point is warning people one sees fscking things up good because they don't understand Linux basics, because some stupid vendor, web log or HOWTO web site told them or because of untruths are propagated elsewhere. In this respect access permissions aren't the overarching reason for i-frame injections but a misunderstanding or neglect of one of the core tenets of UNIX: the least privilege principle. More than that voicing misconceptions distracts from the real priority here and that is to point the OP to actions to perform. Unfortunately the OP hasn't returned since post #10 so I can only hope he understood what he should do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how hackers are injecting code to the website ? nixonp Linux - Newbie 1 12-19-2012 10:33 AM
LulzSec hackers claim CIA website shutdown Jeebizz Linux - News 7 06-17-2011 09:08 PM
Check this out - Videos on how to protect your website against hackers Arne1983 Programming 1 03-17-2009 03:48 PM
AUTH/IDENT query software, hacking hackers and probably morality tomjermy Linux - Security 4 05-14-2005 06:44 PM


All times are GMT -5. The time now is 06:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration