Thanks, I did a little searching
and saw that 777 is pretty much a bad thing. I just don't understand why it was recommended if it is insecure?
But I just tried 755 and 757 and they both don't work with Pixelpost 1.5 and eleven2?
According to the link above, some say it is weak scripting along with permissions to 777 that allow someone to upload a file.
I'm just trying to figure out how to prevent it. I chose eleven2 based on all the recommendations here. But I have 3 other clients who were also hacked on eleven2.
So I'm not sure who to blame:
permissions? (pixelpost doesn't work on 755 on eleven2)
I learned that Eleven2 has register_globals turned on by default.
If your server is not already configured as such, the following directive should be uncommented in order to set PHP's register_globals option to OFF in .htacces. This closes a major security hole that is abused by most XSS (cross-site scripting) attacks. For more information: http://php.net/register_globals
php_flag register_globals Off