homeGeek CultureWebstoreeCards!Forums!Joy of Tech!AY2K!webcam

The Geek Culture Forums


Post New Topic  New Poll  Post A Reply
my profile | directory login | | search | faq | forum home
  next oldest topic   next newest topic
» The Geek Culture Forums   » Other Geeky Stuff   » Ask a Geek!   » website down, need some help!

 - UBBFriend: Email this page to someone!    
Author Topic: website down, need some help!
maybe.logic
Alpha Geek
Member # 5014

Member Rated:
3
Icon 1 posted July 31, 2006 04:38      Profile for maybe.logic     Send New Private Message       Edit/Delete Post   Reply With Quote 
Right, well my friend and I set up a website a few years back, just a small one, so we did'nt go to drastic measures to make it as secure as possible, it was just your average nerd site a few nerdy pages and a forum.

Someone however seemed to upload some malicious code into their signature, and this had just taken EVERYTHING away.

We are (when we rebuild the darn thing) going to have case sensitive user names, as this hacker appeared to have special characters in his name.

I am not sure which files I should change to 644... I know about file permissions, but I have no idea which files I should change?

So I know it may be vauge, but hopefully someone can shed some light on the subject or point me into a direction of help. It was just so by suprise we didnt even get IP logs, so we got stabed in the dark i'm afriad.

Thank you very much for your time.

Posts: 345 | Registered: Mar 2006  |  IP: Logged
Metasquares
Highlie
Member # 4441

Member Rated:
5
Icon 1 posted July 31, 2006 06:14      Profile for Metasquares   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
It sounds like an SQL injection attack, though you didn't post enough details to confirm this.

We don't know what your site is running, so how would we know which files you need to chmod?

Posts: 664 | From: Morganville, NJ | Registered: Oct 2005  |  IP: Logged
drunkennewfiemidget
BlabberMouth, a Blabber Odyssey
Member # 2814

Member Rated:
4
Icon 1 posted July 31, 2006 06:27      Profile for drunkennewfiemidget     Send New Private Message       Edit/Delete Post   Reply With Quote 
Directories should be 755. Alternatively, if your ISP has SetUID turn on, you can set it to 700, and it should work.

Anything executable (.cgi, actual binaries) should be 755 (700 if setuid).

Everything else (.php, .html, .htm, etc.) should be 644 (600 if setuid).

Posts: 4897 | From: Cambridge, ON, Canada | Registered: Jun 2004  |  IP: Logged
maybe.logic
Alpha Geek
Member # 5014

Member Rated:
3
Icon 1 posted July 31, 2006 06:39      Profile for maybe.logic     Send New Private Message       Edit/Delete Post   Reply With Quote 
Thank you DNM, that was all i needed to know [Smile]

If i do get some more information, I will post it (with regards to the attack) maybe some of you will be interested.

Posts: 345 | Registered: Mar 2006  |  IP: Logged
Metasquares
Highlie
Member # 4441

Member Rated:
5
Icon 1 posted July 31, 2006 16:09      Profile for Metasquares   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by drunkennewfiemidget:

Anything executable (.cgi, actual binaries) should be 755 (700 if setuid).

It's actually better to make them 711 if the webserver supports them (even if not suid). I don't like giving world readable permissions to files that may contain passwords.
Posts: 664 | From: Morganville, NJ | Registered: Oct 2005  |  IP: Logged
drunkennewfiemidget
BlabberMouth, a Blabber Odyssey
Member # 2814

Member Rated:
4
Icon 1 posted August 01, 2006 07:41      Profile for drunkennewfiemidget     Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by Metasquares:
quote:
Originally posted by drunkennewfiemidget:

Anything executable (.cgi, actual binaries) should be 755 (700 if setuid).

It's actually better to make them 711 if the webserver supports them (even if not suid). I don't like giving world readable permissions to files that may contain passwords.
Good call, presuming its one of those *nixes or servers that won't check for read access on the file before executing it. I suppose there's only one way to find out, though. [Wink]
Posts: 4897 | From: Cambridge, ON, Canada | Registered: Jun 2004  |  IP: Logged
dragonman97

SuperFan!
Member # 780

Member Rated:
4
Icon 1 posted August 01, 2006 08:05      Profile for dragonman97   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
newf: Why not 711 on directories if you want to be really secure? You don't need read access if you know what's in there...only for virtual listings.

--------------------
There are three things you can be sure of in life: Death, taxes, and reading about fake illnesses online...

Posts: 9331 | From: Westchester County, New York | Registered: May 2001  |  IP: Logged
maybe.logic
Alpha Geek
Member # 5014

Member Rated:
3
Icon 1 posted August 01, 2006 10:02      Profile for maybe.logic     Send New Private Message       Edit/Delete Post   Reply With Quote 
What files could the hackers use to inject my site. Any file they can use I want to chmod really low.
I already chmodded the global conf file and admin file to unwritable.
Was wondering if any of you guys could me on this.
Thanks.

Posts: 345 | Registered: Mar 2006  |  IP: Logged
maybe.logic
Alpha Geek
Member # 5014

Member Rated:
3
Icon 1 posted August 03, 2006 02:24      Profile for maybe.logic     Send New Private Message       Edit/Delete Post   Reply With Quote 
quote:
Originally posted by dragonman97:
newf: Why not 711 on directories if you want to be really secure? You don't need read access if you know what's in there...only for virtual listings.

I tried this but It wont let me set any permissions on the index files on the themes, even if I make new indexes, it wont let me.
Any ideas?

Posts: 345 | Registered: Mar 2006  |  IP: Logged
uilleann
Discontinued


Icon 1 posted August 03, 2006 11:06            Edit/Delete Post   Reply With Quote 
What files? Who ever said it was files? You've yet to explain how your site works. What does it how, how is it programmed? In what language is it written, and on what server does it run?

dragonman mentioned SQL injection attacks, which apply to any site that uses a database, and takes input from the user either via URL parameters or POST data; see SQL injection attacks by example (dug that out of the security mailing list archives, thanks dman)

There are all sorts of things to watch out for. If you have a contact form, SMTP can be abused. For example, if you have a "From" box, and someone writes "[email protected]\r\nMy-Own-Header: my own values here", and you write the value of that field directly into the mail command, the user has just injected a custom header into the outgoing mail.

Then there's cross-site scripting, I don't know a lot about that but it's got some bad press. Sites where you can embed JavaScript code into HTML passed in via a form. See samy is my hero.

I don't know of any common exploits for uploading files to a server unless the attacker knows or can find out your FTP password or site control panel password. There was a sweet daily WTF about a site which used an "admin=false" URL parameter which when flipped let anyone in... Duh. My site has some pages that respond to admin=true, but that only adds extra links and you still need a password to change anything.

But you did say signature, so that sounds like XSS or SQL injection.

OK, there is one way to upload files ... file uploads! Any site where you can upload something like an avatar or a background image or favourite MP3, as a file. And you know where on the server it gets placed, e.g. /avatars/username.ext

Now, if that file can somehow be executed (say, if it's a PHP script that doesn't need the execute flag set) and you can request it via a URL, you've just run code on the site. File uploads are quite a nasty problem in this regard. Foremost, make sure they don't ever end in an untrusted extension, also it helps to repeatedly validate the MIME type, both the incoming one, and then ask say the UNIX 'file' command to again validate the file to make sure it really is what it's said to be, and is an acceptable type of file. (On a Windows server I have no idea how you can prove a file is what it is.) Certainly, make sure the file extension is correct (e.g. ONLY jpg, gif or png) so that the server won't be overly interested in passing it to PHP for execution). You could also use pass-through, e.g. get-image.php?file= so that the data is returned to the user agent without ever being considered for execution. And store the images outside of the Web root.

The Web is fun, always ways to be got at by someone. Here's another:

/index.php?page=bob.php

Now, what if I type this:

/index.php?page=/etc/passwd

Anywhere you accept a path from the user, make sure it's a valid file to be shown! Don't let visitors pull up any file from the hard drive...

IP: Logged
Tut-an-Geek

SuperFan!
Member # 1234

Icon 1 posted August 03, 2006 11:12      Profile for Tut-an-Geek   Author's Homepage     Send New Private Message       Edit/Delete Post   Reply With Quote 
What forum software were you using?

A customer of mine running IPB was recently hacked... IIRC the hack involved getting IPB to eval arbitrary PHP code that was posted in a signature or something of the like. The solution to this problem is getting better software, not increasing file permisions (though it's not a bad idea).

Posts: 3764 | Registered: Mar 2002  |  IP: Logged


All times are Eastern Time  
Post New Topic  New Poll  Post A Reply Close Topic    Move Topic    Delete Topic next oldest topic   next newest topic
 - Printer-friendly view of this topic
Hop To:

Contact Us | Geek Culture Home Page

2015 Geek Culture

Powered by Infopop Corporation
UBB.classicTM 6.4.0



homeGeek CultureWebstoreeCards!Forums!Joy of Tech!AY2K!webcam