From: Al on 19 Apr 2010 10:59 I'm working on a hosted website that was hacked and found something I don't fully understand. Thought someone here may know the answer. The site has 4 php malicious files in directories owned by "system" [php created dirs on the site are named "nobody"] and permissions 755. Is there any way the files could have been written other than by ftp access or at the host root level? Clearly a php script couldn't. Thanks, Al..........
From: Adam Richardson on 19 Apr 2010 11:11 On Mon, Apr 19, 2010 at 10:59 AM, Al <news(a)ridersite.org> wrote: > I'm working on a hosted website that was hacked and found something I don't > fully understand. Thought someone here may know the answer. > > The site has 4 php malicious files in directories owned by "system" [php > created dirs on the site are named "nobody"] and permissions 755. > > Is there any way the files could have been written other than by ftp access > or at the host root level? Clearly a php script couldn't. > > Thanks, Al.......... > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > Are there any other programming options enabled on the account (Perl, JSP, Ruby, etc?) Even if the files are PHP, any of those programming options can be configured to create the files. Additionally, a vulnerability in one of the libraries leveraged to provide the hosting environment could also have provided the entry (PHP makes for a capable deliverable, but it doesn't have to provide the key for a hacking situation.) Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
From: Al on 19 Apr 2010 11:18 On 4/19/2010 11:11 AM, Adam Richardson wrote: > On Mon, Apr 19, 2010 at 10:59 AM, Al<news(a)ridersite.org> wrote: > >> I'm working on a hosted website that was hacked and found something I don't >> fully understand. Thought someone here may know the answer. >> >> The site has 4 php malicious files in directories owned by "system" [php >> created dirs on the site are named "nobody"] and permissions 755. >> >> Is there any way the files could have been written other than by ftp access >> or at the host root level? Clearly a php script couldn't. >> >> Thanks, Al.......... >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > Are there any other programming options enabled on the account (Perl, JSP, > Ruby, etc?) Even if the files are PHP, any of those programming options can > be configured to create the files. > > Additionally, a vulnerability in one of the libraries leveraged to provide > the hosting environment could also have provided the entry (PHP makes for a > capable deliverable, but it doesn't have to provide the key for a hacking > situation.) > > Adam > Are Perl, JSP, Ruby, etc. able to ignore the dir ownership and write permissions on a Linux/Apache system?
From: Jim Lucas on 19 Apr 2010 12:01 Al wrote: > I'm working on a hosted website that was hacked and found something I > don't fully understand. Thought someone here may know the answer. > > The site has 4 php malicious files in directories owned by "system" [php > created dirs on the site are named "nobody"] and permissions 755. > > Is there any way the files could have been written other than by ftp > access or at the host root level? Clearly a php script couldn't. > > Thanks, Al.......... > What version of Apache/PHP is it running? -- Jim Lucas "Some men are born to greatness, some achieve greatness, and some have greatness thrust upon them." Twelfth Night, Act II, Scene V by William Shakespeare
From: Al Rider on 19 Apr 2010 12:07
Apache 2.0.63 php 5.2.8 I know both are obsolete and need updating. I told my client to request same from their ISP. Al On 4/19/2010 12:01 PM, Jim Lucas wrote: > Al wrote: > >> I'm working on a hosted website that was hacked and found something I >> don't fully understand. Thought someone here may know the answer. >> >> The site has 4 php malicious files in directories owned by "system" [php >> created dirs on the site are named "nobody"] and permissions 755. >> >> Is there any way the files could have been written other than by ftp >> access or at the host root level? Clearly a php script couldn't. >> >> Thanks, Al.......... >> >> > What version of Apache/PHP is it running? > > |