 |
Technical Chat From server configurations to local area networking - the technical discussion forum.
 |
| | LinkBack | Thread Tools | Search this Thread | Display Modes |
| ||||||||||||
|
|
| | LinkBack | Thread Tools | Search this Thread | Display Modes |
(#1)
  |
| New Member Posts: 18 Join Date: Jan 2007 Location: Athens/GREECE | Securing writeable (CHMOD 777) folders -
18-07-2007, 09:01 PM
Greetings from Greece, I just received a note from zone-h.org that my eSupport installation was hacked. To be more exact, someone placed an index.php in the /files directory of eSupport. The above directory (and cache directory) are CHMOD'ed 777, is there any way to prevent something like this from happening? |
| |  |
|
(#2)
|
| Senior Member  Posts: 3,681 Join Date: Aug 2006 Location: Mumbai, India |
18-07-2007, 09:23 PM
This is something new! I suggest you edit the post and remove the "way" your helpdesk was hacked and contact Kayako Support for more feedback. Professional and Affordable Kayako Skins - Specialists in Kayako Skinning & Customization - Professional Paid Support Our Skins and Services - http://www.supportskins.com/store/ SupportSkins.com - http://www.supportskins.com/ |
| | |
|
(#3)
|
| Community Moderator Posts: 686 Join Date: Jan 2005 |
18-07-2007, 11:34 PM
He didn't include the way, he included the result.  Common knowledge about directory permissions in Kayako, I should think. |
| | |
|
(#4)
|
| New Member Posts: 18 Join Date: Jan 2007 Location: Athens/GREECE |
18-07-2007, 11:39 PM
Yes, I just included the result. Unfortunately those directories need to be in 777. What do you guys use to secure them from remote scripts? |
| | |
|
(#5)
|
| Member  Posts: 345 Join Date: Feb 2007 Location: Lyon, France |
19-07-2007, 06:26 AM
why is the /files/ used... are you using flat storage instead of database storage? If yes, that's where you can see the difference in security issues. Database files aren't real files. -- Lurking around there -- |
| | |
|
(#6)
|
| Senior Member Posts: 5,552 Join Date: Jun 2005 Location: Cumbria, UK |
19-07-2007, 08:27 AM
It would seem more likely that they have got in through a 3rd party piece of software but contact Kayako and post your ticket ID here so it can be chased ASAP. Icon Headquarters - Its Elixir - Web2Messenger |
| | |
|
(#7)
|
| New Member Posts: 18 Join Date: Jan 2007 Location: Athens/GREECE |
19-07-2007, 11:42 AM
Quote:
I'm using database storage, so that's not the issue. I believe the directory gets created one way or another. | |
| | |
|
(#8)
|
| New Member Posts: 18 Join Date: Jan 2007 Location: Athens/GREECE |
19-07-2007, 11:45 AM
Quote:
| |
| | |
|
(#9)
|
| Member Posts: 345 Join Date: Feb 2007 Location: Lyon, France |
19-07-2007, 11:59 AM
On such folders: Chmod should always be 660, if 770 is needed then do it but **1 should never be. Chown should be set to an "apache" account, that way you could get a chmod 600. That's more secure -- Lurking around there -- |
| | |
|
(#10)
|
| Staff  Posts: 39 Join Date: Aug 2006 |
19-07-2007, 12:17 PM
Hi, It is not much of a security problem. Chmod 777 only gives read/write/execute access to other users on the system. Depending on apache configuration, you're probably going to be running as the "nobody" user. If a script is exploited, then that exploit is being carried out by the nobody user.And without privileged access to the system a simple user cannot do any harm to the system . If he gets privileged access it means there is some vulnerability in the operating system. While it is a good idea to chmod from 777 to 776, to prevent nobody from even executing the files. Like in SupportSuite we do not require execute permissions with "Files" and "Cache" directory. Systems that run phpsuexec instead of mod_php then scripts aren't being executed by nobody. They are executed by the website's account on the server. So, chmod 777 won't change anything. Regards, -------------------------------------------------------------------
|
| | |
|
(#11)
|
| New Member Posts: 1 Join Date: Dec 2007 | here you go -
21-12-2007, 12:27 AM
|
| | |
Linear Mode
