I found out today a site I support got compromised (v1.4.1). The site itself was not hacked but someone loaded some code in the templates_c folder and used spam to direct users to code in the folder. The content loaded was a phising scam that requested a paypal payment. I am not sure if they managed to get access because the folder has 777 access or if it was a host issue. I am tending to lean towards the host issue because recently they reset all the ftp passwords for all their host accounts and changed folder settings from 777 to 775. According to the docos that folder needs to be 777 but I am running several v1.5 sites set to 775 without issues. Has this changed since v1.4.1? Also can some explain how can one upload to templates_c? Would they need a script on the site? I deleted the offending code and put in a .htaccess redirect so that if they managed to upload it again people would just be redirected to google if they clicked on the link.
BTW I am amazed at how many people actually clicked through on the spam email!!
Site compromised
Re: Site compromised
no takers? just an update, I watched the hackers/spammers through the logs trying to break into the site by running a script that tests for hundreds of different programs in different folders (admin, tmp & templates_c just to name a few) . Luckily they didn't find anything useful but they also left their IP address so I blocked that. Hopefully that's enough to stop them for now but I still need the following question answered:
If those directories (tmp & templates_c) have 777 access, is their a way for people to upload files to that directory?
If those directories (tmp & templates_c) have 777 access, is their a way for people to upload files to that directory?
-
viebig
Re: Site compromised
on a shared server environment other user accounts can copy files thought SFTP or directly via ssh to a 777 folder. Login via ssha and check the users that owns that files and notify you hosting company to track down who did that
Re: Site compromised
Thanks, I suspect the host already knows which is why they changed everyone's ftp details and chmod'd all 777 directories to 775. I remove the code immediately (kept a copy) and I browsed through it and the information collected is rerouted to a server in Nairobi..go figure!!
Do you know why on some accounts I am able to run those directories on 775 and others only on 777? These are on different hosts but that doesn't really explain it for me. I tried find out what is_writable really means as far as what it can write to and get varying results so still confused??
Do you know why on some accounts I am able to run those directories on 775 and others only on 777? These are on different hosts but that doesn't really explain it for me. I tried find out what is_writable really means as far as what it can write to and get varying results so still confused??
