WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] WP 2.1 Hacked via Uploads Directory

[Resolved] WP 2.1 Hacked via Uploads Directory

  • My site is hosted on HostRocket.com

    I discovered, quite by accident, that somehow, someone had gained access to my world writable Uploads directory and uploaded over 42MB of crap… scripts, directories for all sorts of websites like viagra, mortgages, executables, etc… just absolutely shocking.

    The hacker basically had free reign over the entire Uploads directory because it was set by WordPress to have 777 permissions and is owned by the server.

    I don’t understand all the complexities involved in security, php scripts, shared hosting etc. But it seems awfully negligent to design a web application like WordPress that leaves directories World Writable. To top it off those directories are owned by the server so the user can’t even change the permissions to a more secure state without calling the webhost and having them change ownership of those directories to the user.

    I don’t understand fully how someone with the knowledge can gain access to world writable directories in a shared hosting environment and upload malicious php code into basically anyones directories, but it has happened to me three times… twice with WordPress and once with PHPwebsite. Pair.com was the host for PHPwebsite and HostRocket was the host for the two hacked WordPress sites.

    To thwart this in the future, the tech at hostrocket placed a .htaccess file in the Uploads directory that effectively prevents php scripts from running in that directory. the code he used was…

    php_flag engine off

    But please tell me why WordPress has worldwriteable directories by default and why there isn’t some mechanism to change those permissions easily from within WordPress to help with security?

    The tech at my webhost says he sees this sort of thing happening ALL THE TIME.

    Any input on this folks?

Viewing 15 replies - 1 through 15 (of 41 total)
  • For now, I would do a few things. Lock down that directory so that its no longer given access to just anyone can get into it. I personally wouldn’t use it. If you have things in that folder that are posted on your site, then just make it so that the folder is readable. also, use a FTP client to upload your files rather than the upload interface.

    Finally, and prolly the most important thing, contact your host. I’m sure they can figure out the IP address(es) of those who were doing that. being that it was scripts that were uploaded, i’m sure that they would be very eager to help.

    I have taken steps to lock down world writable directories… but it seems that WP requires some directories to be world-writable, like the Uploads directory and the Cache directory. For now, I’ve changed permissions on the uploads directory to 755, and I’ve also added .htaccess as I explained in my initial post.

    I think the issue here is that most WP installations are on shared hosting servers. That means that nefarious people with the techincal know-how are able to hack into someone elses site, either through capturing login information or brute force and once in, can install php scripts that can basically roam around the entire server looking for weaknesses in anyone elses space. That being the case, I really do not understand how WP can place world writable directories, owned by the server, into an installation. this is basically an open door to hackers and I’ve been hacked twice, and I read about so many others who are hacked this way as well.

    In my case, files., php scrips, perl scripts and otherexecutables were uploaded into my Uploads directory and as far as I can tell, that directory was basically acting as a server of its own, serving up over two hundered websites for gambling, viagra, vicodin and all that crap. A particular file 99.php was uploaded which basically gave the hacker unfettered access to my entire webspace via any browser. this script is also known as “c99adult” and if you Google that word, you will find it installed on quite a few other sites, some of which you can actually click on the Google link to and end up in that persons webspace where presumably you could screw up the person’s website if you were so inclined.

    This is unbelievable to me!

    WP needs to have stronger defenses against this prevelant form of attack. If your website hasn’t been hacked yet and you are on a shared server (which most people are) you are just as vulnerable as I was and there will come a day where your site could be hacked. In fact, I’ll go as far as to say that a lot of sites probably already are hacked and the owners are not even aware of it. In my case, it was pure accident that I noticed something and it was only because I was in Google looking at the Webmaster Tools where I noticed hundreds of 404 errors on my site. why was this I wondered? Certainly I did not build my site with hundreds of missing pages… well further investigation led me to discover the breakin.

    I have my WP uploads directory set to 755 permission and it works fine, while maintaining pretty solid security. I can upload images through the dashboard. Did you try this?

    I cannot upload via the Dashboard to the Uploads directory using 755 permissions, I get an error, “Unable to create directory /home/xxxxx/public_html/blog/wp-content/uploads/2007/04. Is its parent directory writable by the server?”

    How is it possible that you are able to?

    Probably because different hosts configure their servers in different ways.

    I too, never need to use 777.

    If you do have to use 777, make the tweak, let the directory be created and then switch it back to 755.

    I suppose that’s a workaround that would get the job done, but it is certainly not convenient to have to do that every month. But under the circumstance, I guess it’s about the only thing that will work for me at this point in time.

    Well, it’s not a workaround because it doesn’t work.

    I’ve got permissions set to 755 and created a directory /wp-content/uploads/2007/04

    When I then go to dashboard and try to upload an image, i get the error…

    The uploaded file could not be moved to /home/mxxxxxx/public_html/blog/wp-content/uploads/2007/04.
    Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/blog/wp-admin/admin-functions.php:1879) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 1219

    So what now?

    Here’s a good thread to look over: http://wordpress.org/support/topic/74078?replies=9

    Does your host offer you the option of running suexec?

    If you’re using pair.com, you can use php-cgiwrap and set your upload and cache folders, and all your .php files to 600. Details here.

    Bobcat,

    Are there any downsides to using php-cgiwrap? This is something totally new to me and I know nothing about it.

    Michael

    The advantage of php-cgiwrap is that you can completely protect your PHP files, your MySQL password, the WordPress upload directory, etc., from other users on your server and from the rest of the world.

    The disadvantage is that if there’s a security hole in WordPress or if your WordPress admin password is hacked, the bad guys will have complete access to all your files.

    >>I suppose that’s a workaround that would get the job done, but it is certainly not convenient to have to do that every month.<<

    >>Well, it’s not a workaround because it doesn’t work.<<

    >>The hacker basically had free reign over the entire Uploads directory because it was set by WordPress to have 777 permissions<<

    The problem here is that *WordPress* doesn’t set permissions for *anything*.

    It’s not a “workaround” because you *don’t* have to do it every month.

    You do it *once*. it allows the server to recognize the WordPress has ownership, and is allowed to do it.

    You go in, create the “uploads” folder, set it to 777, go in and use the Uploads feature to upload an image (therefore telling the server that WP is allowed to do this) then change the uploads folder *back* to 755. The server should recognize that WP is the owner and is allowed to access the folder permanently.

    You do it once. Period.

    Now, if it’s not working for you, then you need to contact your host, because your *host* is who sets these configurations. *Any* host who *requires* you to leave folder permissions set at 777 doesn’t have a clue as to what they are doing, and you should change hosts immediately.

    But *WordPress* doesn’t set folder permissions for anything. It doesn’t have the capability to do so. If *you* set the permissions at 777 and didn’t change them back, *you* are the one responsible for allowing the hacker access. (If your host requires it to stay open like that, then, as I said, you need to get a new host who knows WTF they’re talking about.)

    Thanks for clearing up how the permissions work on my server and not on his/hers, doodlebee.

    Very goo dpost.

    Moderator Samuel Wood (Otto)

    @otto42

    WordPress.org Tech Dude

    You go in, create the “uploads” folder, set it to 777, go in and use the Uploads feature to upload an image (therefore telling the server that WP is allowed to do this) then change the uploads folder *back* to 755. The server should recognize that WP is the owner and is allowed to access the folder permanently.

    While this is more secure than having 777 permissions (which, on a shared server, gives anybody else on the server access), it’s still not without its flaws.

    Basically, you’re letting the webserver user create the directory, thus making the webserver user the owner of it. So 755 permissions allows anybody to read, but only the webserver to write.

    However, this is not particularly secure either. The webserver can still write to the directory, and a hack by somebody on any other website on that shared server will still give them access to your uploads directory. Why? Because they’ll have the credentials of the webserver user, and so will have write permission in your directory.

    There is no 100% secure way to allow you to upload files over the web. This is just a simple fact. You have to give write permission to the webserver to do it. So the best you can really hope for is to limit your exposure.

    What Otto said is true. Plus, you should take into account what’s been mentioned earlier – it all depends on how your host has set up your server. Use “755” because that’s what my host has set up as the default for folders. Some hosts have it set differently.

Viewing 15 replies - 1 through 15 (of 41 total)
  • The topic ‘[Resolved] WP 2.1 Hacked via Uploads Directory’ is closed to new replies.