Announcement

Collapse
No announcement yet.

Security RISK/WARNING for you folks with shared providers..

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by JTMON


    Those are the choices?! Oh shi*!
    Well if your or your host can afford it, you could use the Zend Encoder, and encrypt your files.... But not many places have the 10 grand, (I think its around that)....

    Comment


    • #17
      Originally posted by The Prohacker


      Well if your or your host can afford it, you could use the Zend Encoder, and encrypt your files.... But not many places have the 10 grand, (I think its around that)....
      Are you nuts? My host has a hard enough time keeping their servers working. If they get a spammer, they cut off email to the entire server without any notice. I am seriously considering switching.
      JTMON

      Comment


      • #18
        Originally posted by JTMON


        Are you nuts? My host has a hard enough time keeping their servers working. If they get a spammer, they cut off email to the entire server without any notice. I am seriously considering switching.
        Well, gotta admit, they have a nice webpage

        http://www.ocservers.net/

        Comment


        • #19
          Hehe, wrong page.

          www.ochosting.com
          JTMON

          Comment


          • #20
            ummm--- why 750, why not 740??

            I was looking at another post on this board, on someone's site getting hacked, and this thread was pointed out to me.

            I had told the person that I used permissions of 740 on my config file.

            I see that you have recomended 750. Why would you need execute on the config.php ?? it is read as a text file, not executed as a php.

            I realise there is little way to exploit this extra right, but I just dont see a need for it.

            just curious. My theory on security is give the minimum needed, that way, it is much harder to exploit.

            Thanks
            Eric C
            -

            Comment


            • #21
              Help!

              My forums were hacked into and wiped of their contents last Thursday (see separate thread here). Shortly after the attack, I discovered that another vBulletin on the same hosting network had fallen prey to the same hacker. Thus, I began to draw the conclusion that the hacker might be accessing the databases of our sites using the methods outlined at the start of this thread.

              Following a few quick tests of my own, I confirmed those suspicions, and reported the potential security flaw to my hosting company. Although they (VenturesOnline) are now hopefully talking to Jelsoft directly about the matter, for my own peace of mind I have been trying to figure out how to protect my vB's config file using some of the ideas mentioned here.

              Currently, when I chmod the 'config.php' file and remove 'world read' rights, it brings down my vB completely. VO have confirmed to me today that the server I am on runs 'suexec' - so surely the file permissions can be altered to restrict read/write privileges to 'owner' only? Can anyone suggest what might be wrong?

              Comment


              • #22
                Have you tried 744?
                JTMON

                Comment


                • #23
                  744 would work, but that still gives world read to the config.php.

                  which means anyone could read it, and pull your my-sql password out, and then they can run my-phpadmin from any server anywhere to connect to your db, and have fun with you...

                  one thing your ISP might be able to do is set the DB to only allow connections from servers in their network.. that makes it a little harder for the hackers, but that still leaves you open to other people on the same host.

                  Eric C
                  -

                  Comment


                  • #24
                    But surely making it 744 gives the file more access privileges?!?

                    By default, the permissions on all files uploaded to my shared account at VO are 644 (owner read/write, group read, world read). I would have assumed at the very least you need to remove 'world read' permissions on config.php? Or am I misunderstanding something?

                    Comment


                    • #25
                      Not the best..

                      Still not the most secure way, but chown it to yourid.apacheid. And chmod it to 740 (rwx,r,-)

                      The smarter users can still write a script and execute it under the apache userid to read it, but joe-blow in via telnet/ssh can't read it.

                      Even from the command line, when the user reads that file, they can trash your mysqldb, I wouldn't call this hacking, it is 101 stuff. They can dumb your db, restore it (I think), mod it, scary stuff.

                      This is a huge problem, and has been for a long time. I'd be embarassed if I were the author of such programs that didn't use a bit better method to at least encrypt the password stored in the txt file.

                      I've installed some PHP programs that need this info in a config.blah file for mysql access, and the better ones at least use some encryption/hash to store the password, so yes, it can be done.

                      Better yet, upgrade to apache 2.x now!

                      tjk

                      Comment


                      • #26
                        Re: Not the best..

                        Originally posted by tomk
                        Still not the most secure way, but chown it to yourid.apacheid. And chmod it to 740 (rwx,r,-). Better yet, upgrade to apache 2.x now!
                        Hmmm... strange you should mention that Tom. I have had this suggested to me previously, and passed it onto VenturesOnline today (as I do not have permission to run chown). They simply replied with: "you shouldn't need to chown the file like that", and that was it.

                        So I am a bit lost on what to say/do next!

                        Comment


                        • #27
                          Maybe time to look for a better / more secure host.

                          If you are paying monthly, just let it run out, and switch...

                          If you have paid for a couple of months , complain until they give your $$$ back because of their obviously shotty security.

                          it really sounds like these guys are unwilling to change, and it is begining to sound like they are not the sharpest dart thrown at the dartboard.

                          I'm by no means a unix guru, but I do know that if your config.php has to be 744, minimum, PHP is not running as "nobody"

                          As far as the authors of VB, I made the comment in the other thread Mark0380 spoke of, that it would be nice to at least let the installer rename, or move the config.php file. If a hacker doesn't automatically know the file name and path he/she is looking for, it makes their hack much more dificult.

                          Done rambling.
                          Eric C
                          -

                          Comment


                          • #28
                            Re: Re: Not the best..

                            Originally posted by Mark0380


                            Hmmm... strange you should mention that Tom. I have had this suggested to me previously, and passed it onto VenturesOnline today (as I do not have permission to run chown). They simply replied with: "you shouldn't need to chown the file like that", and that was it.

                            So I am a bit lost on what to say/do next!
                            Mark,

                            Ask them why they won't allow this for that file? This is crazy.

                            chown yourid.apacheid and chmod 740 says that only your id and the apache group id that runs apache/php can read the file, and only you can write/change it.

                            It keeps all the little script kiddies out, unless they know how to write a script and execute it via apache/php to read the file. Easy to do, but it makes it a *bit* more secure.

                            Better yet, tell your host to upgrade to apache 2.0, configured properly this will be the better solution since the vb guys are not interested in making the code more secure around the config.php file.

                            tjk

                            Comment


                            • #29
                              Correct me if I am wrong on this. If you have your config file in your admin folder, and your host doesn't allow shell access, then you're pretty secure as they couldn't do these things right?
                              JTMON

                              Comment


                              • #30
                                Something else I've found is that when accessing my site via ftp, the highest level it lets me go is my root folder, httpdocs. If I use a mac client though, I can view the server root and everysingle website folder on the entire server!! Granted I can't access it, is this normal for mac ftp programs?
                                JTMON

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X