Someone hacked into my site, please help!

[visualpixel]

Hi,

Has anyone got their pixelpost photoblog hacked before? If you visit my site http://www.visualpixel.net you can see the problem. This is actually the second time it happened. The first time I couldn't even access my site and I had this message on the page:

Error: Access denied for user 'markb808_pxlpost'@'localhost' (using password: YES)

I messaged my host, Eleven2 and told them about the problem. The tech support guy told me that I had not added any user database. I told him that's impossible because I was able to accesss the site before and I hadn't made any changes for about a year. He quickly fixed it but I noticed a strange picture that I didn't post similar to the one on my site right now. The tech support guy said that my site got hacked and that I needed to re-install pixelpost. So I upgraded to the newest version 1.5 and everything seemed to work fine.

Unfortunately the hacker replaced the photo with the hacked one and I didn't have a copy of the original available to re-load up. I was forced to delete that entire post.

A few days later after the upgrade i got hacked again. The current hack is what you see on the site right now.

Has anyone got this problem before and is it host related or pixelpost related?

I'm very concern about the security of this application and any help on fixing this would be gladly appreciated.

-Mark

[Dennis+]

In my opinion this isn't a great hack. We require the images folder to be chmodded 777 to upload pictures. So it's basically open for anyone to write in. Some kid wrote a script which places files in the images folder. They even made it so they replace the latest file to one of their own.

I manually change the permissions of the folder back to 755 with my FTP program and change them before uploading.

I hate the fact all is set to open, but I haven't found a way to solve it. Or we should rewrite the whole uploading system to use FTP.

Hmm perhaps there is another way. The files created by PHP are own by an owner which is part of a group.

If we can change the owner and the group of the images and thumbnails folder so they would reflect the owner and group of PHP then 777 is not necessary. You could use 755, which is more secure.

After some digging only the root (ISP) can change the owner of a folder.

Quote:

When you upload a file to a server the user associated with the method you used will be the "owner" of that file.

If you upload by FTP then the FTP user will own the file.
If you upload by media manager then the apache user will own the file.
If you upload by account cPanel then the root user of the account will own the file.

It is rather like owning a house, you do not want the owner next door making alterations to yours.

Only the owner of a file can administer it and give rights to other users.
Only the owner of a file can delete the file

You as the domain administrator (Cpanel user) will not be able (usually) to change ownership of files, you will have to get your ISP administrator to do that.

So you might wanna make the owner of the folder images and thumbnails to be apache, since this is the owner of the files in the images and thumbnails. There is no easy way to set ownership of a folder other then asking the ISP.

[visualpixel]

Schonhose,

Thanks! I changed the permissions to 755, luckily I had a backup copy to replace the hacked photo with the original. So I guess from now on when ever I upload a new photo I'll have to change the permissions back to 777 then to 755 when I'm done?

Thanks again!

[Dennis+]

yeah well sorry but that seems to be the only way.

I've done some testing:

If a folder is created by FTP the owner is the FTP owner and group is FTP group.

If we upload a file the file belongs to "apache" of group "apache". We can write in this folder because the script who does the writing is owned by the FTP owner since we uploaded it through FTP.

But if PHP wants to write in that folder there is a problem, PHP is not allowed because it is a different user (apache). So we need to set the folder to 777 so the user apache can write files (as well as anybody).

The most logical solution would be to change the ownership of the folder to apache but then another problem would appear: the script trying to access the folder is from a different owner. Major troubles, so you have to change the ownership of the files also to apache.

Now you can set the folder to 711 (although you're not allowed to do that through FTP anymore because of the different owner.)

So changing it manually would be the best thing for now.

Although I'm not sure how this will work when you add the FTP user to the apache group.

[GeoS+]

All depends from ISP. I know i.e. Apache mod_suexec module which runs scripts with users ID and it should solve problem of CHMOD 777.
If you can PM to us (devs) or email the source of attack (in Pixelpost application) then we can speak that Pixelpost was weak secured. Otherwise there is a lot of other possibilities to attack site.

[Dennis+]

I wrote an addon for changing the folder permissions through an FTP connection.

Please let me know if you're interested and I'll mail the details.

[Dkozikowski+]

Quote:

Originally Posted by schonhose

I wrote an addon for changing the folder permissions through an FTP connection.

Please let me know if you're interested and I'll mail the details.

I am actually trying to do the same thing. I am trying to make an addon that will read the current folder permissions and display if it is secure or not. If it is secure it will display a button to chmod the folder to 777 and if its not secure it will display a button to chmod to 755.

Here is part of my code. Currently it only allows you to chmod to 755 and not 777 but I will get to that part once i can figure out the rest. I am not a PHP programer so everything is trial and error.

PHP Code:

$addon_name = "CHMOD Manager";
$addon_description = "This addon will allow you to CHMOD your images and thumbs directory.";
$addon_version = "1.0.0";

// The workspace. Where to activate the function inside index.php
$addon_workspace = "options";

// menu where the addon should appear in admin panel. in this case: images menu
$addon_menu = "options";

// What would be the title of submenu of this addon: 12cropimage
$addon_admin_submenu = "CHMOD";

// What is the function
$addon_function_name = "chmod_admin_addon";


// add the function
add_admin_functions($addon_function_name,$addon_workspace,$addon_menu,$addon_admin_submenu);


// Check If ADMIN
if($_GET['x'] == "chmod") {
global $cfgrow;
if($cfgrow['password'] == $_SESSION["pixelpost_admin"]) {
// If ADMIN, CHMOD images directory
$chmod_755 = array();
$chmod_755[] ='../images';
$chmod_755[] ='../thumbs';
// Status Message
for ( $i = 0; $i < count($chmod_755); $i++ )
{
    if (!chmod ($chmod_755[$i], 0755))
    {
        echo '<font color="#DD3333"><strong>Unable to change permission of (' . $chmod_755[$i] . ')</strong></font><br />';
    }
    else
    {
        echo '<font color="#228844"><strong>Successfully chmodded (' . $chmod_755[$i] . ')</strong></font><br />';
    }
}
}
}
function chmod_admin_addon() {
$show_form ="<div class='content'>
    To secure your images directory please use the secure button bellow.<br /><br />
    <form method=\"post\" action=\"?x=chmod\" enctype=\"multipart/form-data\"> 
    <input type=\"submit\" value=\"Secure\" />
    </form>
    </div>";
    echo $show_form;
} 


[Dennis+]

My addon works the same way, only I was under the impression CHMOD does only work on files and not on folders. Interesting to see I'm not the only one with the thought about changing buttons depending on the permissions.

Since in my opinion PHP's CHMOD doesn't work on folders I made an FTP connection to CHMOD the folders.

[Dennis+]

As an addition to the previous post I'm unable to set the folder permissions through PHP's CHMOD. Probably because the owner of the CHMOD command does not correspond with the owner of the folder made by FTP.

Nevertheless the CHMOD command still gives back a TRUE although when I check with PHP the permissions are not changed. This gives a false sense of security.

[Dkozikowski+]

Quote:

Originally Posted by schonhose

As an addition to the previous post I'm unable to set the folder permissions through PHP's CHMOD. Probably because the owner of the CHMOD command does not correspond with the owner of the folder made by FTP.

Nevertheless the CHMOD command still gives back a TRUE although when I check with PHP the permissions are not changed. This gives a false sense of security.

The code above works for me.

What i did to test was this:

Make sure the folder permissions were set to 777 or anything else but 755.
Run the code by hitting the submit button
Go back to my ftp program and refresh the folder list
Check permissions
Permissions should be changed!

Or, in pixelpost admin under the General Info tab you can see if the permissions we changed.

I'm no programmer. I just mess around with code untill i can get it to work. It works fine with my hosting provider, godaddy.

One glitch may be that php's safemode funtion may need to be turned off. I'm not sure if this will work with it turned on.