Directory permissions question

I'm working on a hosted website that was hacked and found something I don't
fully understand. Thought someone here may know the answer.

The site has 4 php malicious files in directories owned by "system" [php created
dirs on the site are named "nobody"] and permissions 755.

Is there any way the files could have been written other than by ftp access or
at the host root level? Clearly a php script couldn't.

Thanks, Al..........

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Directory permissions question

--00148530ad8378216c0484985efa
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Apr 19, 2010 at 10:59 AM, Al wrote:

> I'm working on a hosted website that was hacked and found something I don't
> fully understand. Thought someone here may know the answer.
>
> The site has 4 php malicious files in directories owned by "system" [php
> created dirs on the site are named "nobody"] and permissions 755.
>
> Is there any way the files could have been written other than by ftp access
> or at the host root level? Clearly a php script couldn't.
>
> Thanks, Al..........
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Are there any other programming options enabled on the account (Perl, JSP,
Ruby, etc?) Even if the files are PHP, any of those programming options can
be configured to create the files.

Additionally, a vulnerability in one of the libraries leveraged to provide
the hosting environment could also have provided the entry (PHP makes for a
capable deliverable, but it doesn't have to provide the key for a hacking
situation.)

Adam

--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com

--00148530ad8378216c0484985efa--

Re: Directory permissions question

On 4/19/2010 11:11 AM, Adam Richardson wrote:
> On Mon, Apr 19, 2010 at 10:59 AM, Al wrote:
>
>> I'm working on a hosted website that was hacked and found something I don't
>> fully understand. Thought someone here may know the answer.
>>
>> The site has 4 php malicious files in directories owned by "system" [php
>> created dirs on the site are named "nobody"] and permissions 755.
>>
>> Is there any way the files could have been written other than by ftp access
>> or at the host root level? Clearly a php script couldn't.
>>
>> Thanks, Al..........
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> Are there any other programming options enabled on the account (Perl, JSP,
> Ruby, etc?) Even if the files are PHP, any of those programming options can
> be configured to create the files.
>
> Additionally, a vulnerability in one of the libraries leveraged to provide
> the hosting environment could also have provided the entry (PHP makes for a
> capable deliverable, but it doesn't have to provide the key for a hacking
> situation.)
>
> Adam
>

Are Perl, JSP, Ruby, etc. able to ignore the dir ownership and write permissions
on a Linux/Apache system?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Directory permissions question

Al wrote:
> I'm working on a hosted website that was hacked and found something I
> don't fully understand. Thought someone here may know the answer.
>
> The site has 4 php malicious files in directories owned by "system" [php
> created dirs on the site are named "nobody"] and permissions 755.
>
> Is there any way the files could have been written other than by ftp
> access or at the host root level? Clearly a php script couldn't.
>
> Thanks, Al..........
>

What version of Apache/PHP is it running?

--
Jim Lucas

"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
by William Shakespeare

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Directory permissions question

On 19 April 2010 17:18, Al wrote:
>
>
> On 4/19/2010 11:11 AM, Adam Richardson wrote:
>>
>> On Mon, Apr 19, 2010 at 10:59 AM, Al  wrote:
>>
>>> I'm working on a hosted website that was hacked and found something I
>>> don't
>>> fully understand. Thought someone here may know the answer.
>>>
>>> The site has 4 php malicious files in directories owned by "system" [ph=
p
>>> created dirs on the site are named "nobody"] and permissions 755.
>>>
>>> Is there any way the files could have been written other than by ftp
>>> access
>>> or at the host root level? Clearly a php script couldn't.
>>>
>>> Thanks, Al..........
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>> Are there any other programming options enabled on the account (Perl, JS=
P,
>> Ruby, etc?)  Even if the files are PHP, any of those programming op=
tions
>> can
>> be configured to create the files.
>>
>> Additionally, a vulnerability in one of the libraries leveraged to provi=
de
>> the hosting environment could also have provided the entry (PHP makes fo=
r
>> a
>> capable deliverable, but it doesn't have to provide the key for a hackin=
g
>> situation.)
>>
>> Adam
>>
>
> Are Perl, JSP, Ruby, etc. able to ignore the dir ownership and write
> permissions on a Linux/Apache system?
>

I've seen an install of Trac hacked by a file-upload - it managed to
write a cron job, which then wrote to other files. It's not just a
question of whether your Apache server has the correct
rights/permissions, it's equally a question of: is any other part of
the system getting used against me.

Regards
Peter

--=20

WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Directory permissions question

Apache 2.0.63
php 5.2.8

I know both are obsolete and need updating. I told my client to request
same from their ISP.

Al

On 4/19/2010 12:01 PM, Jim Lucas wrote:
> Al wrote:
>
>> I'm working on a hosted website that was hacked and found something I
>> don't fully understand. Thought someone here may know the answer.
>>
>> The site has 4 php malicious files in directories owned by "system" [php
>> created dirs on the site are named "nobody"] and permissions 755.
>>
>> Is there any way the files could have been written other than by ftp
>> access or at the host root level? Clearly a php script couldn't.
>>
>> Thanks, Al..........
>>
>>
> What version of Apache/PHP is it running?
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Directory permissions question

Al wrote:
> I'm working on a hosted website that was hacked and found something I
> don't fully understand. Thought someone here may know the answer.
>
> The site has 4 php malicious files in directories owned by "system" [php
> created dirs on the site are named "nobody"] and permissions 755.
>
> Is there any way the files could have been written other than by ftp
> access or at the host root level? Clearly a php script couldn't.
>
> Thanks, Al..........

it doesn't matter what the language of the script that did this is, it's
all about the permissions of the process that's running the script

it's the difference between you running a script as www-data and running
it via the shell as root.

SUExec might be at play, some other process, some user with ssh access,
some back door, consider the permissions and owner of the directory
containing the files, if it's nobody then anybody could have written to it.

All in, ask the ISP to check logs and history, ensure all your
permissions on directories are tight, and that you don't have any
scripts on there that can be abused and that they are "safe" - then
you're clear :)

Best,

Nathan

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php