777 permissions required on uploads and other folders?

[lucia22]

After having our server hacked over the weekend I have been told to tighten up all security on our web server ensuring all directories are not world writeable. I have tried changing the permissions for the uploads, images and modules folder however I get an error when trying to upload to it. From other posts i have read it does advise not to set as 777 as this is a security risk, are there any other alternatives or does anyone have any suggestions how I can work around this?

[Wishbone]

I chmod 755 on all core CMS directories and leave "uploads", "tmp" and "cache", etc. open. I don't see any way around your issue. If you're really paranoid, you can lock it down, and open it when you need to upload data, then lock it back down again. If your server was hacked as "root", no permissions would stop it.

[Wishbone]

I just checked something on my host (godaddy.. don't ask ).. It seems that the process is being run as myself (not 'nobody' or 'web' or something else)... My PHP scripts are able to chmod my own files.. I think that this is bad. If someone was able to sneak a PHP script on my system, the script can change the permissions to my files that I've locked down, then make edits.

I just checked HostGator.. Seems to be the same. Locking down permissions would help some cases, but any PHP script that finds it's way onto your system can do anything it wants to, regardless of the permissions you set.