How was it hacked?
That will help determine what kind of exploit might have been used.
On 4/11/08, Al [EMAIL PROTECTED] wrote:
One of my sites has been hacked and I'm trying to find the hole. The hack
code creates dirs with nobody ownership, so it's obvious stuff is not via
ftp [ownership
The hack puts this .htaccess in dozens of dirs
RewriteEngine On
RewriteCond %{HTTP_REFERER}
I would recommend something more strong
http://www.php.net/manual/en/function.exif-imagetype.php
or if you dont have exif
http://www.php.net/manual/en/function.getimagesize.php
will do also a trick.
One more thing, you are also allowing .txt and .css which may be
potential hole, as Apache
Al wrote:
One of my sites has been hacked and I'm trying to find the hole. The
hack code creates dirs with nobody ownership, so it's obvious stuff is
not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
At 6:43 PM -0500 9/26/06, Richard Lynch wrote:
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
-- Since I'm only allowing image uploads, I can strictly filter which
files
are allowed to be uploaded (with extension checks and get_image_size).
Extension check is kinda useless...
I
On Wed, September 27, 2006 10:11 am, tedd wrote:
So when you read advice to use 0777 you can immediately change that
to
0700, because the only access needed is for you, not your group, and
not the world of other users on that machine.
Excellent point -- thanks.
This applies only to Andy -- or
So I've been trying to figure out where php uploads files to temporarily
store them before I move them to their permanent storage directory, and I'm
having some difficulties:
-- php_info() says the temporary file upload directory is /tmp but I don't
know if that's relative to my root directory
On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote:
So I've been trying to figure out where php uploads files to
temporarily
store them before I move them to their permanent storage directory,
and I'm
having some difficulties:
-- php_info() says the temporary file upload directory is
Well, seeing as I have no directory anywhere in my file structure called
/tmp and yet my file uploads are still working, it would appear that my
temporary file upload directory /tmp given by php_info() is somewhere
outside of my root directory. So that's good news! That's were I'll be
doing my
The FTP will be slower, almost for sure.
He's doing it because he can FTP in as himself, and not as the
nobody user Apache runs as.
Your webhost has you running as yourself already, so you can chmod
your files at will in PHP.
On Mon, September 25, 2006 2:11 pm, Andy Hultgren wrote:
Tedd,
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
So I tried to implement the example code given in the php tmpfile()
documentation and it wouldn't do anything, which suggests that I don't
have
access to the /tmp directory. Also, the FAQ's section on my server's
website say that /tmp
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root. I'm curious, what you described is exactly what I'm trying to do -
what permissions do
Tedd,
Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out! I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection. Is it faster to establish
On 9/25/06, Andy Hultgren [EMAIL PROTECTED] wrote:
Tedd,
Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out! I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without
Andy:
It was never a question of speed for me -- it was a question of being
able to change file permissions from within a php script so that I
could create and write files safely.
You see, I am *not* able to use chmod() within a php script at all
regardless of what permissions the file and
Well, that didn't sound too good...
So I tried to implement the example code given in the php tmpfile()
documentation and it wouldn't do anything, which suggests that I don't have
access to the /tmp directory. Also, the FAQ's section on my server's
website say that /tmp is not shared between
Hey Tedd and Eric,
Between the two of you and Richard Lynch's last post, I understand why I can
use chmod() and mkdir() within php without having to use the ftp commands: I
run on a server that is configured to run my php scripts as username (ie.
me!) instead of as nobody (which is much more
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root. I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are
On Saturday 23 September 2006 01:27, you wrote:
Hi Borge,
host/users/myDomain is the actual directory (and it's the root
directory), and I do not have access to higher directories. So
basically I do not have access to directories higher than my root
directory, which is unfortunate. Also,
At 7:19 PM -0600 9/22/06, Andy Hultgren wrote:
For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
.public_html it gets created and then disappears), but I can see my
file structure from my host's website and so I know
On Friday 22 September 2006 22:58, Andy Hultgren wrote:
Hi,
I am relatively new to php and am trying to set up a file upload
process for my website. I have read through the php security
documentation and a number of the security-related questions on these
lists and am attempting to implement
On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
that as my root directory is simply www.myDomain.com and not
.public_html/ and I am on a shared server where my root cannot be
I got two words for you:
Change Hosts
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing
So pretty much there's nothing to be done about it? If I can get the
chmod thing to make it so that you can't surf to your uploaded image
afterwards and view it, I'd be happy with that solution. I'd like to
stick with this host if I could.
On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote:
On
I may have hit send too soon...
Like, when you do FTP, do you see:
index.htm
page2.htm
page3.htm
right away?
*OR*, do you see:
public_html
And then you do cd public_html and THEN you see the files?
If you don't do cd public_html then I really don't think accepting
file uploads is a Good
For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
.public_html it gets created and then disappears), but I can see my
file structure from my host's website and so I know that when I ftp in
to myDomain.com this is what
Files in web folders should usually be 755
/peter a
At 2003-01-23 11:15, Marco Alting wrote:
Hi, I have a php script which uploads file to a webserver. The idea is that
anyone can upload files, but only another php script can read the files. At
this moment I think someone is deleting file
26 matches
Mail list logo
