got hacked, think i know how, help me stop it

nephish · 01-23-2006, 10:55 PM

lo there,
i am running a simple lamp from home.
i tried out this package from e107 that is a content management system.
i think i had some of the file permissions a little too permissive, and about a day after i installed it, something got in, created a user, and started to wreck havoc right in frot of my eyes. i unplugged from the ethernet, but still , lost a lot of time because i had to restore everything, lost root password, all kinds of stuff. i feel like an idiot about this.. but it brings me to my questions....

what is a good permissions setup for files in a webserver and cgi-bin ?
chmod 655 ? i know that 777 is no good.

another twist, i have a couple of users set up (friends) whose websites i was also hosting. i would let them ssh to upload their files to their home directory (also the web-root of their website). So they need to still be able to do that.
would ftp be safer ?

need some advice because, although i did not loose anything except some face and time, the thing cost a lot in doing a reinstall of archlinux and restoring backups.

any tips are welcome.

thanks gents

Kahless · 01-23-2006, 11:44 PM

i dont know about this package, but is its php config file readable on the web server? if so.... is there any way to make it not readable and still work, perhaps by putting it outside the web root?

if it is readable, was the mysql username and password the same as a system account username and password? if so, that would have been a very easy first step in.

Kahless · 01-23-2006, 11:48 PM

http://www.networksecurityarchive.or.../msg00106.html

google around for hacking e107 to find other problems and possibly ways to secure agenst them

nephish · 01-24-2006, 05:10 AM

yeah, the name and password were the same, guess i know better than to do that now.
thanks

nephish · 01-24-2006, 05:30 AM

by the way, thanks for the link.
what permissions should the files in the web_root folders be ?

nx5000 · 01-24-2006, 06:40 AM

For directories:
755 if you want to allow indexing
711 to disallow it

HTML,IMAGE,..:
644

CGI:
755 or 711

nephish · 01-24-2006, 08:12 AM

wow, thanks a lot for that.
after googling around, not just at e107 hacking, but php (what i use most) there is some scary stuff out there, kinda surprised that i have not had this happen before, i have been running my server for a year.
thanks for the great info.

dbogdan · 01-24-2006, 09:06 AM

I've been running e107 for several years now on an internet facing box, been lucky I guess... anyway, have you checked out the e107.org site for updates ? they also have a very helpful and active forum that might help you out on permission/security questions.

Dave

doublejoon · 01-24-2006, 01:12 PM

Get mod_security!!! http://www.modsecurity.org/

It rocks!!

nephish · 01-24-2006, 02:19 PM

mod security looks great, even a debian package for it (use debian at work, arch at home) so i will have to get it for arch too.
thanks much. Yeah, having the same user name and password in the scripts as i use on my system was somewhat foolish of me, even more to just blanket everything with chmod 777 . i guess you just don't do that.

thanks everyone.

KimVette · 01-24-2006, 09:51 PM

Why not disable indexing in your {vhost}.conf file or at minimum in .htaccess?

nephish · 01-25-2006, 07:30 AM

ok, if i disable indexing, it means that someone cannot go to www.mysite.com/some_directory/ and see all the files listed there right?

ok, that sounds good.

I have hit a snag here with my permissions. There is part of the website where users can upload images to a certain directory. It doesnt work right now because i dont have permission as a web user to view the contents of said directory.

what permissions do i use in this case, the images need to be able to be uploaded, but also viewed later from the website.

thanks