WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] WP 2.1 Hacked via Uploads Directory (42 posts)

  1. cnymike
    Member
    Posted 7 years ago #

    My site is hosted on HostRocket.com

    I discovered, quite by accident, that somehow, someone had gained access to my world writable Uploads directory and uploaded over 42MB of crap... scripts, directories for all sorts of websites like viagra, mortgages, executables, etc... just absolutely shocking.

    The hacker basically had free reign over the entire Uploads directory because it was set by WordPress to have 777 permissions and is owned by the server.

    I don't understand all the complexities involved in security, php scripts, shared hosting etc. But it seems awfully negligent to design a web application like WordPress that leaves directories World Writable. To top it off those directories are owned by the server so the user can't even change the permissions to a more secure state without calling the webhost and having them change ownership of those directories to the user.

    I don't understand fully how someone with the knowledge can gain access to world writable directories in a shared hosting environment and upload malicious php code into basically anyones directories, but it has happened to me three times... twice with WordPress and once with PHPwebsite. Pair.com was the host for PHPwebsite and HostRocket was the host for the two hacked WordPress sites.

    To thwart this in the future, the tech at hostrocket placed a .htaccess file in the Uploads directory that effectively prevents php scripts from running in that directory. the code he used was...

    php_flag engine off

    But please tell me why WordPress has worldwriteable directories by default and why there isn't some mechanism to change those permissions easily from within WordPress to help with security?

    The tech at my webhost says he sees this sort of thing happening ALL THE TIME.

    Any input on this folks?

  2. Kahil
    Member
    Posted 7 years ago #

    For now, I would do a few things. Lock down that directory so that its no longer given access to just anyone can get into it. I personally wouldn't use it. If you have things in that folder that are posted on your site, then just make it so that the folder is readable. also, use a FTP client to upload your files rather than the upload interface.

    Finally, and prolly the most important thing, contact your host. I'm sure they can figure out the IP address(es) of those who were doing that. being that it was scripts that were uploaded, i'm sure that they would be very eager to help.

  3. cnymike
    Member
    Posted 7 years ago #

    I have taken steps to lock down world writable directories... but it seems that WP requires some directories to be world-writable, like the Uploads directory and the Cache directory. For now, I've changed permissions on the uploads directory to 755, and I've also added .htaccess as I explained in my initial post.

    I think the issue here is that most WP installations are on shared hosting servers. That means that nefarious people with the techincal know-how are able to hack into someone elses site, either through capturing login information or brute force and once in, can install php scripts that can basically roam around the entire server looking for weaknesses in anyone elses space. That being the case, I really do not understand how WP can place world writable directories, owned by the server, into an installation. this is basically an open door to hackers and I've been hacked twice, and I read about so many others who are hacked this way as well.

    In my case, files., php scrips, perl scripts and otherexecutables were uploaded into my Uploads directory and as far as I can tell, that directory was basically acting as a server of its own, serving up over two hundered websites for gambling, viagra, vicodin and all that crap. A particular file 99.php was uploaded which basically gave the hacker unfettered access to my entire webspace via any browser. this script is also known as "c99adult" and if you Google that word, you will find it installed on quite a few other sites, some of which you can actually click on the Google link to and end up in that persons webspace where presumably you could screw up the person's website if you were so inclined.

    This is unbelievable to me!

    WP needs to have stronger defenses against this prevelant form of attack. If your website hasn't been hacked yet and you are on a shared server (which most people are) you are just as vulnerable as I was and there will come a day where your site could be hacked. In fact, I'll go as far as to say that a lot of sites probably already are hacked and the owners are not even aware of it. In my case, it was pure accident that I noticed something and it was only because I was in Google looking at the Webmaster Tools where I noticed hundreds of 404 errors on my site. why was this I wondered? Certainly I did not build my site with hundreds of missing pages... well further investigation led me to discover the breakin.

  4. dwzemens
    Member
    Posted 7 years ago #

    I have my WP uploads directory set to 755 permission and it works fine, while maintaining pretty solid security. I can upload images through the dashboard. Did you try this?

  5. cnymike
    Member
    Posted 7 years ago #

    I cannot upload via the Dashboard to the Uploads directory using 755 permissions, I get an error, "Unable to create directory /home/xxxxx/public_html/blog/wp-content/uploads/2007/04. Is its parent directory writable by the server?"

    How is it possible that you are able to?

  6. Chris_K
    Member
    Posted 7 years ago #

    Probably because different hosts configure their servers in different ways.

    I too, never need to use 777.

    If you do have to use 777, make the tweak, let the directory be created and then switch it back to 755.

  7. cnymike
    Member
    Posted 7 years ago #

    I suppose that's a workaround that would get the job done, but it is certainly not convenient to have to do that every month. But under the circumstance, I guess it's about the only thing that will work for me at this point in time.

  8. cnymike
    Member
    Posted 7 years ago #

    Well, it's not a workaround because it doesn't work.

    I've got permissions set to 755 and created a directory /wp-content/uploads/2007/04

    When I then go to dashboard and try to upload an image, i get the error...

    The uploaded file could not be moved to /home/mxxxxxx/public_html/blog/wp-content/uploads/2007/04.
    Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/blog/wp-admin/admin-functions.php:1879) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 1219

    So what now?

  9. Chris_K
    Member
    Posted 7 years ago #

    Here's a good thread to look over: http://wordpress.org/support/topic/74078?replies=9

    Does your host offer you the option of running suexec?

  10. Bobcat
    Member
    Posted 7 years ago #

    If you're using pair.com, you can use php-cgiwrap and set your upload and cache folders, and all your .php files to 600. Details here.

  11. cnymike
    Member
    Posted 7 years ago #

    Bobcat,

    Are there any downsides to using php-cgiwrap? This is something totally new to me and I know nothing about it.

    Michael

  12. Bobcat
    Member
    Posted 7 years ago #

    The advantage of php-cgiwrap is that you can completely protect your PHP files, your MySQL password, the WordPress upload directory, etc., from other users on your server and from the rest of the world.

    The disadvantage is that if there's a security hole in WordPress or if your WordPress admin password is hacked, the bad guys will have complete access to all your files.

  13. Doodlebee
    Member
    Posted 7 years ago #

    >>I suppose that's a workaround that would get the job done, but it is certainly not convenient to have to do that every month.<<

    >>Well, it's not a workaround because it doesn't work.<<

    >>The hacker basically had free reign over the entire Uploads directory because it was set by WordPress to have 777 permissions<<

    The problem here is that *WordPress* doesn't set permissions for *anything*.

    It's not a "workaround" because you *don't* have to do it every month.

    You do it *once*. it allows the server to recognize the WordPress has ownership, and is allowed to do it.

    You go in, create the "uploads" folder, set it to 777, go in and use the Uploads feature to upload an image (therefore telling the server that WP is allowed to do this) then change the uploads folder *back* to 755. The server should recognize that WP is the owner and is allowed to access the folder permanently.

    You do it once. Period.

    Now, if it's not working for you, then you need to contact your host, because your *host* is who sets these configurations. *Any* host who *requires* you to leave folder permissions set at 777 doesn't have a clue as to what they are doing, and you should change hosts immediately.

    But *WordPress* doesn't set folder permissions for anything. It doesn't have the capability to do so. If *you* set the permissions at 777 and didn't change them back, *you* are the one responsible for allowing the hacker access. (If your host requires it to stay open like that, then, as I said, you need to get a new host who knows WTF they're talking about.)

  14. dwzemens
    Member
    Posted 7 years ago #

    Thanks for clearing up how the permissions work on my server and not on his/hers, doodlebee.

    Very goo dpost.

  15. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    You go in, create the "uploads" folder, set it to 777, go in and use the Uploads feature to upload an image (therefore telling the server that WP is allowed to do this) then change the uploads folder *back* to 755. The server should recognize that WP is the owner and is allowed to access the folder permanently.

    While this is more secure than having 777 permissions (which, on a shared server, gives anybody else on the server access), it's still not without its flaws.

    Basically, you're letting the webserver user create the directory, thus making the webserver user the owner of it. So 755 permissions allows anybody to read, but only the webserver to write.

    However, this is not particularly secure either. The webserver can still write to the directory, and a hack by somebody on any other website on that shared server will still give them access to your uploads directory. Why? Because they'll have the credentials of the webserver user, and so will have write permission in your directory.

    There is no 100% secure way to allow you to upload files over the web. This is just a simple fact. You have to give write permission to the webserver to do it. So the best you can really hope for is to limit your exposure.

  16. Doodlebee
    Member
    Posted 7 years ago #

    What Otto said is true. Plus, you should take into account what's been mentioned earlier - it all depends on how your host has set up your server. Use "755" because that's what my host has set up as the default for folders. Some hosts have it set differently.

  17. cnymike
    Member
    Posted 7 years ago #

    doodlebee, I can't really get too deep into this conversation because I don't have good enough knowledge of the whole permissions scheme.

    I never said my host "made" me keep the permissions at 777. My host provided me with good guidance on how to help prevent this in the future by using .htaccess as I described previously in an earlier post.

    My Host conceded that a shared server -is- open to this sort of abuse. Of the hundreds of sites hosted on the server, who knows how many are operated by folks like me that don't really have a clue what they are doing? I'd guess the majority. This leaves the potential for HUGE gaping holes in the security of the server. Any world writable directory in that shared environment is vulnerable if any one of the hundreds of other users space is compromised. Once the hacker gets in, either by brute force, or by learning the login info for an account, they have the ability to wreak all sorts of damage.

    What is really a hassle is that the Uploads directory is owned by the server because it is the WP script that is installing, not me. Is this because I uploaded the tar file to my server and then untarred it as opposed to unzipping it locally and then ftp'ing it to my server?

    It's clear to me from reading about this issue a lot, both here and other forums and websites, that this is a big problem on WordPress Blogs. In fact, there are probably a lot of WP blogs that are hacked/compromised without the knowledge of their owners because the hackers use rootkits to gain control and do a pretty good job hiding their activity. The only way I noticed anything suspicious was because I happened to be looking at Google Webmaster tools for my site and noticed thousands of 404 errors. That was the tipoff.

    I've learned enough now to know that in a shared server environment you do not want to leave any directories in a 777 state for very long or you are a hack job waiting to happen. As for me, I have paid a pretty stiff price in all this. Google has completely taken away my page ranking and my site has disappeared in the results pages where a week ago I was the #1 result using certain search terms. I hope that in time, Google will restore my ranking because I have removed all traces of the hackers work and hopefully have a more secure site now.

  18. cnymike
    Member
    Posted 7 years ago #

    OK...I just did a brand new install of WP for installation testing purposes and to see just exactly what permissions are being used and WHO is creating them.

    I downloaded a zip of WP to my local computer. I unzipped it, filled in the necessary data in the wp-config.php file and then ftp'd the entire WordPress directory to my server.

    I ran the install script and once that was comleted, I logged into admin of my newly created blog.-
    I ftp'd to the directory where WP was installed and noticed that the wp-content directory had permissions of 755. All well and good thus far.

    I created a new blog entry. I browsed for an image on my local computer and attempted to upload it. Got the following error...

    Unable to create directory /usr/www/users/xxxx/xxxx/wordpress/wp-content/uploads/2007/04. Is its parent directory writable by the server?

    A-ha! So the ONLY way to create the uploads/2007/04 directory is to make the wp-content world writable with 777 permissions. OK I changed permissions and then attempted to upload the image again. Success.

    Now I have to change the directory 'wp-content' back to 755. Done!

    But lo and behold, the newly created directories...

    wp-content/uploads/2007/04
    wp-content/uploads/2007
    wp-content/uploads

    ...now have permmissions of 777 and are owned by nobody (the server).

    So if WordPress didn't create these world-writable directories, owned by the server (nobody) then what am I missing?

    How is this secure? Furthermore, since they are owned by the server, I cannot rename them, change their permissions or delete them unless I call my webhost and have them change ownership to me.

    So help me out here doodlebee and explain to me what just happened cuz I'm just not getting it.

  19. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    So if WordPress didn't create these world-writable directories, owned by the server (nobody) then what am I missing?

    From what you just said, WordPress did create them. Where's the confusion?

    How is this secure?

    Who said it was secure?

    If you allow uploads to happen over the web, it is not secure. Period. End of discussion.

    There is *no* way to make a directory secure and still allow uploads over the web. None. Zero. Anybody who tells you otherwise is mistaken.

    This is not a WordPress specific problem. It's a shared server problem, and anybody trying to allow web uploads on a shared server, on any software package, is vulnerable. There's no way around it.

  20. cnymike
    Member
    Posted 7 years ago #

    The confusion is because doodlebee said
    "The problem here is that *WordPress* doesn't set permissions for *anything*."

    My question "How is this secure?" was sort of a rhetorical question. It's not secure.

  21. Chris_K
    Member
    Posted 7 years ago #

    WP doesn't.
    Your webserver did when it created those directories. It based them on the parent directory.

  22. cnymike
    Member
    Posted 7 years ago #

    I understand now that WP technically doesn't set the permissions, but WP enables it by requiring that the parent directory be world-writable in order for the uploads directory to be created by the server.

    You know what, I finally get it. And for me, having the ability to upload photos via the dashboard is simply not worth the risk.

  23. Samuel Wood (Otto)
    Tech Ninja
    Posted 7 years ago #

    but WP enables it by requiring that the parent directory be world-writable in order for the uploads directory to be created by the server.

    You don't have to let WP create the uploads directory. You could have created the directory yourself and give it any permissions you like.

    But regardless, those directories still have to be world-writable for WP to write anything to them in the first place. This is the way permissions work.

  24. Andrew Ozz
    WordPress Dev
    Posted 7 years ago #


  25. Andrew Ozz
    WordPress Dev
    Posted 7 years ago #

    The (more) secure way of uploading anything is http://ftp... Even you can get a hosting plan with an anonymous ftp account if you need that. Uploading through the web is way less secure than ftp and depends a lot on the shared server configuration. On my test install (Ubuntu LAMP on an old 400MHz PC configured with 5 accounts) all WP directories are set to 755 and I still can upload through WP.

  26. Chris_K
    Member
    Posted 7 years ago #

    On my shared hosting account, directories are at 755 and everything works fine as well.

    Which was the point I'd tried to make about 15 posts ago: Servers are configured in many ways... some much more "friendly" to this sort of fun stuff :)

  27. Bobcat
    Member
    Posted 7 years ago #

    But lo and behold, the newly created directories...
    wp-content/uploads/2007/04
    wp-content/uploads/2007
    wp-content/uploads
    ...now have permmissions of 777 and are owned by nobody (the server).

    That means your could set the permissions to 700 and only the web server (including WP) will be able to write to them. That sounds pretty secure to me.

  28. cnymike
    Member
    Posted 7 years ago #

    Bobcat, It's not secure if someone has hacked into the shared host somewhere because they have server rights. They have free reign. Furthermore if I set permissions to anything other than 777, WP will NOT upload anything because I don't have world-writable permissions on the Uploads directory.

    Furthermore, setting permissions to 700 results in this error...
    "Warning: is_dir(): Stat failed for /home/xxxxxx/public_html/blog/wp-content/uploads/2007 (errno=13 - Permission denied) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 970

    Warning: is_dir(): Stat failed for /home/xxxxxx/public_html/blog/wp-content/uploads (errno=13 - Permission denied) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 970

    Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/blog/wp-includes/functions.php:970) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 1219
    WordPress

    Unable to create directory /home/xxxxxx/public_html/blog/wp-content/uploads/2007/04. Is its parent directory writable by the server?"

    The only way to upload on my server through the dashboard is with 777 permissions.

    Time to move on.

  29. vkaryl
    Member
    Posted 7 years ago #

    As well, setting my uploads folder on a test install to 700 fails to allow display of graphics previously uploaded by ftp, stored in specific folders, and called by a normal link in a post.

    Too bad too, because that would have been really nice.

  30. pizdin_dim
    Member
    Posted 7 years ago #

    "It's clear to me from reading about this issue a lot, both here and other forums and websites, that this is a big problem on WordPress Blogs."

    Not quite correct. This is a big problem with all web applications which allow file uploads.

Topic Closed

This topic has been closed to new replies.

About this Topic