Major hacking problems with chmod 777 experienced

[Glenn]

I know there have been several threads posted about this, and from what I can tell from Ted and Calguy it's something we have to live with, but it's becoming a major problem at least for me.

I just received panicky emails from a client that their site has been hacked. This is the fourth different client (each on a different server) that I have had this happen to. This time it was a php file installed in the modules directory. Twice I've had a folder with a complete cgi and associated files installed in one of the images directories and once had a folder with cgi and files installed in the tmp cache directory. I couldn't even remove any of the files via ftp as I was not the owner, I had to do it through my hosting provider's control panel.

It seems that I can't run the sites at all unless tmp/cache and tmp/templates_c are both anything but 777 and if I take 777 off of the uploads directory my clients can't run their own sites with CMSMS. FTP is NOT an option for ANY of my clients. Removing 777 from modules is not a problem since i don't want clients messing with those directories anyway.

I've used CMSMS now since version 0.8, for at least 20 client sites and now I'm not sure I'll be able to use it anymore. Did I miss a thread with the solution? Is there one? I read Calguy's very detailed sticky about umask and permissions, and do understand changing permissions via ftp and through the web control panel but the rest of it was totally greek. I, like most designers (that's DESIGNER not PROGRAMMER) do not run my own server. All of my clients are on shared servers at hosting providers.

As always (except for this problem) CMSMS totally rocks. Thanks for any help or insight in advance.

Glenn

[kermit]

your problem likely isn't with cmsms (you are keeping your cmsms installs updated like a good boy, aren't you? ), but with others on the shared servers running scripts that are exploitable.

if the "hacked" sites are all (or mostly) on the same provider's servers (such as.. ahem.. ipower), it's TIME TO MOVE!  note that large providers like ipower have 100's of servers, so it's entirely possible for your dozen or so sites that are hosted there to all be on different servers. providers that oversell their servers (place far too many accounts on it that it can actually hold; and ipower is one such host) can easily have 1000 or more users on a single server. the more users and sites on a shared server, the higher the chance that someone, somewhere on it, is running swiss cheese.

having a client call ipower to renew their domain (and domain only, canceling the hosting they got before they found us) is one of the most effective marketing tools we have in our arsenal.   their support sucks beyond all comprehension; and we, without a doubt, end up with a client-for-life.

[Nullig]

Google - ipowerweb hacked iframe

I think that's your problem. I'm running CMSMS on about 30 different sites and have never been hacked.

Nullig

[Glenn]

I see what you're saying about iPower, except that only two of the 4 hacked sites are on iPower. One of them is on a dedicated Mac OS X server (I'm also on a Mac).

I'm not a programmer, so I don't mean to argue with you, I'm trying to learn from you. How are hackers getting in if these hacked sites are on different servers with different providers. If I Google "tmp/templates_c" I get a long list of sites that are obviously running CMSMS. I can then view the contents of that directory on most of these sites, as well as the other directories with chmod 777. It doesn't seem like a stretch for a hacker to figure out that these directories exist on all CMSMS installations and to figure out a way to upload files into them. Isn't it possible?

BTW: iPower isn't the only provider I've worked with who've been hacked. I've seen entire servers taken down at other hosting providers (Fast.net) and was given a real hassle about resurrecting the backup. iPower is the only host I've EVER worked with (and I've worked with a lot since I started doing this iin 1994) where I can call and speak to an actual tech person (without going through a freakin ticket system...AAARGH!) in minutes. If any of you have better suggestions for hosting providers that you believe are safer to run CMSMS on I'm all ears. I'll switch in a minute if it's affordable. Sorry for the off-topic.

Thanks again.

[Nullig]

I'm not arguing with you, just pointing out that just because those directories are writeable, doesn't automatically mean that CMSMS is the source of your problem. Of course, anything is possible - the only 100% secure computer is one not connected to anything. However, a lot of website hacks are the result of the hosting server being compromised, giving the hacker root/admin access, allowing them to wreak havoc. Another sizeable percentage of hacked sites are due to poor password choices for the site owners/admins, which makes them easily compromised with password crackers.

Also, MAS OS X Server is not without it's problems. Apple releases almost as many patches as MS for their servers and there are known vulnerabilities that have not yet been patched by Apple, as there are with MS.

There are a LOT of CMSMS users here, but not very many forum threads regarding hacked sites. This indicates to me that this is not as HUGE a problem as you have implied.

It would be interesting to view the server logs for the sites that were hacked, to see when and how it happened. Perhaps you could request the logs from your hosting provider, so that the issue could be investigated thoroughly.

Nullig