If anyone has any suggestions/tips, I'd appreciate the help.

My website was hacked back in November. It was fixed by the Eleven2 folks and everything was fine until last month. It was hacked again. Same arabic-looking text and weird photos appeared on my site. 112 told me to upgrade my PP to 1.6. I did and got things running again. Well....you guessed it. My site was working fine late last night, but I got up this morning, and yep - it's been hacked AGAIN! Three times in less than a year! Obviously I've emailed the Eleven2 folks for help, but I thought while I wait for their response, I'd post here and see if anyone else is having the same problem.

This is getting ridiculous. The Eleven2 people have always been very helpful, quick to respond and good about fixing things, but I'm wondering if their setup isn't any more secure than this, maybe I should move my hosting elsewhere. Where, I don't know, so I'm open to suggestions.

Has anyone else had this problem? If so, what can be done to prevent it from happening again? I have potential clients visiting my site and it's embarassing to think they might encounter this crap instead of my photos.

Thanks for listening to my rant. Any help/tips anyone can provide would be appreciated.

Thanks in advance,
A.T.

In my opinion this isn't a great hack. We require the images folder to be chmodded 777 to upload pictures. So it's basically open for anyone to write in. Some kid wrote a script which places files in the images folder. They even made it so they replace the latest file to one of their own.

I manually change the permissions of the folder back to 755 with my FTP program and change them before uploading.

I hate the fact all is set to open, but I haven't found a way to solve it. Or we should rewrite the whole uploading system to use FTP.

Hmm perhaps there is another way. The files created by PHP are own by an owner which is part of a group.

If we can change the owner and the group of the images and thumbnails folder so they would reflect the owner and group of PHP then 777 is not necessary. You could use 755, which is more secure.

After some digging only the root (ISP) can change the owner of a folder.


When you upload a file to a server the user associated with the method you used will be the "owner" of that file.

If you upload by FTP then the FTP user will own the file.
If you upload by media manager then the apache user will own the file.
If you upload by account cPanel then the root user of the account will own the file.

It is rather like owning a house, you do not want the owner next door making alterations to yours.

Only the owner of a file can administer it and give rights to other users.
Only the owner of a file can delete the file

You as the domain administrator (Cpanel user) will not be able (usually) to change ownership of files, you will have to get your ISP administrator to do that.


So you might wanna make the owner of the folder images and thumbnails to be apache, since this is the owner of the files in the images and thumbnails. There is no easy way to set ownership of a folder other then asking the ISP.

Also, in another thread you posted I recommended the FTP_security addon from my site. You said you tried it, but I find it hard to believe your site got hacked by stupid script kiddies relying on a folder with a chmod 777 if you actually used this addon.

If you did, the folders are set to 755 and not even pixelpost can write files in most cases.

You mentioned changing the permissions to the images folder to 777 before uploading, then changing it back to 755 once I'm finished. Can you explain how I do this? I upload by FTP.

It seems to me that this is not an uncommon problem, and I'm not the only one who's had the hacking problem. Shouldn't that be something that should be fixed on PP's end? I shouldn't have to hack my files in order to prevent them from hackers.

As for your FTP security add-on....where do I find this and how do I put it on my site? I'll be glad to give it a try if you don't mind helping with instructions on how to install it. Feel free to PM me if you'd like.

Thanks for your help. I can't continue to have my site hacked every month like this. Not a really good way to get word-of-mouth clients....

Thanks again.
A.

So I see now that the 777 permissions are changed (I assume) by going into the CPanel's File Manager menu and navigating to my public_html folder and changing the 777 (unsecure) permission on the images folder to 755 (secure) after uploading any new photos, correct? Do I also need to do this on the thumbnail folder?

I upload my photos using PP's admin section. Will that still be the way I can upload photos? I assume I just change the permission on the images folder to 777 (via CPanel) prior to uploading, upload my photo via PP's admin site, then change it back (via the CPanel) to 755 when I'm done?

Or using your addon eliminates this need, correct?

Thanks again.

Another question....how do I go about removing the hack that appears on my site now so I can get this back to working order? Is there a way to restore it to the way it was last night before I was hacked? Is there something I'm looking for in my images folder to remove?

look for any files inside your images and thumbnails folder that does not have a .jpg extension.

If you are sure you did not put it there, you may delete this file but before you do, can you please save it and send it to

dwilkinsjr@dwilkinsjr.com

thanks

All images in both the images folder and the thumbs folder all have the .jpg extension. I don't see anything out of the ordinary in either place....

can i have a link to your website

I found a link.


Download / SAVE then remove the index.html files from your images and thumbnails directory.

Send me these files.

Or, if you trust me with FTP access i can investigate further

To answer the initial question: changing both the images and thumbnails folder to 755 after uploading by means of your control panel is also sufficient.

Please remember to set it temporarily to 777 again when uploading and reset them to 755 afterwards.

This will prohibit people to replace the index.html as I understand from Dave.

Using the addon (see link in sig) does this automatically. Upon uploading you provide the FTP password in the new image form, folders are opened before upload and closed automatically.

You probably have to close them manually first by clicking a button under the ftp_security tab. (or close them using your controlpanel).

Contact me when you need help setting it up. I've found giving the right FTP path might be problematic for some.

Would having the PP installer create the images and thumbnails directory help with this problem? Then both directories would be created by the web server user, so if permission are set to 755, the web server could write to them but individual users could not. It would require 777 permissions on the PP root during install, but after that should work at 755.

There are obvious problems. Installing in your web root, you may not be able to make it world writable. You also wouldn't be able to manipulate the folders as a normal user (through ftp or ssh).

What will removing the index.html files do? Will that restore the site to the way it was prior to the hacking?

Thanks Schonhose. I've downloaded the addon, but have not installed it as of yet. (I was a little unclear about how to do that part). You mentioned providing the FTP password during upload. I assume that is the same password I use to log in to either my PP admin panel or Eleven2's control panel, correct?

Will removing the index.html files from the images and thumb folders restore the site to the way it was prior to the hack? I'd like to know how I go about removing the hacker's image and info that appears on the site before I start posting new images.

Sorry if I'm overlooking obvious things here. I'm at a bit of a loss when it comes to poking around in my files inside PP. I use PP's admin panel and Dreamweaver to upload stuff to the site.

Thanks again for your help.

I'm not sure if removing the index.html files will be 100% effective but they are certainly part of the problem.

There is no need to worry about these files as they technically do nothing but block outside viewers from viewing some users image directories.

If your hosting account is properly set up, these index.html files are completely unnecessary. We just added them to the 1.6.0 release for those who need the added protection.

Would having the PP installer create the images and thumbnails directory help with this problem? Then both directories would be created by the web server user, so if permission are set to 755, the web server could write to them but individual users could not. It would require 777 permissions on the PP root during install, but after that should work at 755.

There are obvious problems. Installing in your web root, you may not be able to make it world writable. You also wouldn't be able to manipulate the folders as a normal user (through ftp or ssh).

This wouldn't work with safe_mode enabled.

Thanks Schonhose. I've downloaded the addon, but have not installed it as of yet. (I was a little unclear about how to do that part). You mentioned providing the FTP password during upload. I assume that is the same password I use to log in to either my PP admin panel or Eleven2's control panel, correct?

You need to use your FTP password. The one you use when you uploaded your files to the server. If you use Dreamweaver to upload stuff to your site you've provided a password once. That's the one.

Hi,

The 777 is for machine users, the problem is in another place, probably in PHP.ini configuration.

SR