CMS Made Simple Forums

One of my CMSMS sites was hacked.

They changed some text around and changed the password so I couldn't log in and change it.

I realized I had my config.php file permissions set to 777. I'm guessing that made it pretty easy for them.

Is there anything else obvious I need to look for to try to lock it down? (CMS Made Simple 1.1.4.1 "Taga")

My site was also hacked, what permissions should the config.php file have

as tight as it can. it depends a lot on the server settings..

afri-can wrote: My site was also hacked, what permissions should the config.php file have

I reset mine to read only. no write or execute access. (444)

I'm also wondering...I was having trouble updating content so I had my hosting provider disable mod_security. Was this a mistake?

If so...exactly which directories/files is it safe to leave mod_security off off?

I would get an access denied error whenever trying to update user defined tags or anything with php or javascript in the code.

the last number still means that anybody can read it..

for example something like this

xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

might still reveal your mysql info to another user on the same server...

there are ways to prevent this, but some hosters dont know / bother / think its not necessary to do.


Mod security is another thing, it keeps requests like page=drop table;... out from php.


secure php is possible, but it needs some knowledge and has bit overhead on the server.

1. run php through suxec
2. have *good* mod security rules
3. keep your php *and* php software up to date
4. follow the logs closely

tsw wrote: the last number still means that anybody can read it..

for example something like this

Ok...so if somebody were to follow a best practices scheme for securing their CMS installation what would this be?

(Keeping in mind that many of us are on shared hosting solutions)

best practice depends on the hoster. but here are some basic rules (not in any particular order).

1. always keep your site up to date
2. try tightening all permissions (just set them to very restrictive first, test if everything works and loosen until everything works)
3. use good passwords for backend

and shared hosting can be very secure, its just that some hosters wont go that extra mile to do it.

TSW - when you say "try tightening all permissions (just set them to very restrictive first, test if everything works and loosen until everything works)", what exactly do you mean?  Obviously you can't mean to set the permissions on every single CMSMS file, so which ones are the important ones to check?

Thanks!

you can start with something like

cd cmsms_folder
find . -name *.php |xargs chmod 400

which will set every file to read only by only your user.

like

-r--------  1 username groupname 18 9.6K 2007-10-09 21:07 index.php


(this still works for me at least)

and all php files are owned by the "ftp" user. (not some www user / group)

if that doesnt work for you try 440 (still not world readable)

some servers want to have php files as execute also so 500 and 550 might work better for some people.

config.php is the most important to secure from other users. (it contains your mysql username and password)

after that start securing uploads / tmp / modules folders

just tested with tmp and 500 still works on my server. (your mileage may vary)

also when php is run through suexec all php scripts are run with the user privileges set for that site (every site has their own user for running the scripts) this has few pros. 1) another user php process cannot read another user files (if file permissions are ok) 2) files created by that script have the same owner/group information (for example uploaded images are still owned by your user (not apache or wwwuser or something). One drawback of this is the overhead of suexec (thats the main reason hosters dont use it)

disclaimer: all of this information is provided as is and I hold no responsibility on the correctness of this data. if you hose your installation with these instructions rollback your changes. take backups. read the man pages of chmod, find and xargs.

People can certainly exploit web server processes as well, but I've had less security headaches by turning file/directory ownership over to apache and leaving world permissions at 0, rather than chmoding anything to 755 or 777 or what not. This won't be an option for everyone, but if you have root access, you might want to go this route.

I've had sites hacked too and it is so aggravating.

You can mitigate damage by being sure to have current backups of your CMS Directory and database. This is essential because if you do get hacked, you can simply trash the installation and restore from your backups.

Another thing to consider is if you are on a shared server, see if they offer "php cgi-wrap" which can be helpful in securing your site.

Another thing to do is never leave directories world-writable (777). If you need to use file manager to upload files or images, chmod your uploads directory right before you need to upload and then change permissions back to a more secure setting once you're done. Yes it's a pain in the butt, but so is getting hacked and this isn't nearly as much hassle.

If you use php cgi-wrap, you need never leave directories in 777 state to upload. This is inherently safer and less of a hassle. Of course there are caveats with using php cgi-wrap, so be sure to read up on it http://www.pair.com/support/knowledge_base/authoring_development/system_cgi_php-cgiwrap.html.

I'm confused....

In order for someone to write to a file on your server don't they first need to be authenticated via FTP?  If anonymouse FTP is not permitted then exactly how can someone write to a file on your server, regardless of file permissions?

Someone can hack into a shared server via your account (if they have somehow obtained your user login info) or via an exploit in some application you may be running, like a CMS, Blog, Photo Gallery, etc or by way of an exploit in another users space on that shared server. It's hard to get your head around but it happens all the time unfortunately. XSS (Cross site scripting) exploits are common.

Recently several sites I had hosted on hostrocket.com were hacked because of an exploit that was in the c-panel/fantastico.
It wasn't pretty.

Hello,

if people do var_dump($config) their actions can be logged by the hosting provider. Choose a provider in a law enforcing country. To do this dump, they need to live at the same provider as you.

To prevent outside attacks, set up some filtering rules.

Pierre M.