WordPress.org

Support

Support » How-To and Troubleshooting » [Resolved] WP 2.1 Hacked via Uploads Directory

[Resolved] WP 2.1 Hacked via Uploads Directory

  • My site is hosted on HostRocket.com

    I discovered, quite by accident, that somehow, someone had gained access to my world writable Uploads directory and uploaded over 42MB of crap… scripts, directories for all sorts of websites like viagra, mortgages, executables, etc… just absolutely shocking.

    The hacker basically had free reign over the entire Uploads directory because it was set by WordPress to have 777 permissions and is owned by the server.

    I don’t understand all the complexities involved in security, php scripts, shared hosting etc. But it seems awfully negligent to design a web application like WordPress that leaves directories World Writable. To top it off those directories are owned by the server so the user can’t even change the permissions to a more secure state without calling the webhost and having them change ownership of those directories to the user.

    I don’t understand fully how someone with the knowledge can gain access to world writable directories in a shared hosting environment and upload malicious php code into basically anyones directories, but it has happened to me three times… twice with WordPress and once with PHPwebsite. Pair.com was the host for PHPwebsite and HostRocket was the host for the two hacked WordPress sites.

    To thwart this in the future, the tech at hostrocket placed a .htaccess file in the Uploads directory that effectively prevents php scripts from running in that directory. the code he used was…

    php_flag engine off

    But please tell me why WordPress has worldwriteable directories by default and why there isn’t some mechanism to change those permissions easily from within WordPress to help with security?

    The tech at my webhost says he sees this sort of thing happening ALL THE TIME.

    Any input on this folks?

Viewing 15 replies - 16 through 30 (of 41 total)
  • doodlebee, I can’t really get too deep into this conversation because I don’t have good enough knowledge of the whole permissions scheme.

    I never said my host “made” me keep the permissions at 777. My host provided me with good guidance on how to help prevent this in the future by using .htaccess as I described previously in an earlier post.

    My Host conceded that a shared server -is- open to this sort of abuse. Of the hundreds of sites hosted on the server, who knows how many are operated by folks like me that don’t really have a clue what they are doing? I’d guess the majority. This leaves the potential for HUGE gaping holes in the security of the server. Any world writable directory in that shared environment is vulnerable if any one of the hundreds of other users space is compromised. Once the hacker gets in, either by brute force, or by learning the login info for an account, they have the ability to wreak all sorts of damage.

    What is really a hassle is that the Uploads directory is owned by the server because it is the WP script that is installing, not me. Is this because I uploaded the tar file to my server and then untarred it as opposed to unzipping it locally and then ftp’ing it to my server?

    It’s clear to me from reading about this issue a lot, both here and other forums and websites, that this is a big problem on WordPress Blogs. In fact, there are probably a lot of WP blogs that are hacked/compromised without the knowledge of their owners because the hackers use rootkits to gain control and do a pretty good job hiding their activity. The only way I noticed anything suspicious was because I happened to be looking at Google Webmaster tools for my site and noticed thousands of 404 errors. That was the tipoff.

    I’ve learned enough now to know that in a shared server environment you do not want to leave any directories in a 777 state for very long or you are a hack job waiting to happen. As for me, I have paid a pretty stiff price in all this. Google has completely taken away my page ranking and my site has disappeared in the results pages where a week ago I was the #1 result using certain search terms. I hope that in time, Google will restore my ranking because I have removed all traces of the hackers work and hopefully have a more secure site now.

    OK…I just did a brand new install of WP for installation testing purposes and to see just exactly what permissions are being used and WHO is creating them.

    I downloaded a zip of WP to my local computer. I unzipped it, filled in the necessary data in the wp-config.php file and then ftp’d the entire WordPress directory to my server.

    I ran the install script and once that was comleted, I logged into admin of my newly created blog.-
    I ftp’d to the directory where WP was installed and noticed that the wp-content directory had permissions of 755. All well and good thus far.

    I created a new blog entry. I browsed for an image on my local computer and attempted to upload it. Got the following error…

    Unable to create directory /usr/www/users/xxxx/xxxx/wordpress/wp-content/uploads/2007/04. Is its parent directory writable by the server?

    A-ha! So the ONLY way to create the uploads/2007/04 directory is to make the wp-content world writable with 777 permissions. OK I changed permissions and then attempted to upload the image again. Success.

    Now I have to change the directory ‘wp-content’ back to 755. Done!

    But lo and behold, the newly created directories…

    wp-content/uploads/2007/04
    wp-content/uploads/2007
    wp-content/uploads

    …now have permmissions of 777 and are owned by nobody (the server).

    So if WordPress didn’t create these world-writable directories, owned by the server (nobody) then what am I missing?

    How is this secure? Furthermore, since they are owned by the server, I cannot rename them, change their permissions or delete them unless I call my webhost and have them change ownership to me.

    So help me out here doodlebee and explain to me what just happened cuz I’m just not getting it.

    Moderator Samuel Wood (Otto)

    @otto42

    WordPress.org Tech Dude

    So if WordPress didn’t create these world-writable directories, owned by the server (nobody) then what am I missing?

    From what you just said, WordPress did create them. Where’s the confusion?

    How is this secure?

    Who said it was secure?

    If you allow uploads to happen over the web, it is not secure. Period. End of discussion.

    There is *no* way to make a directory secure and still allow uploads over the web. None. Zero. Anybody who tells you otherwise is mistaken.

    This is not a WordPress specific problem. It’s a shared server problem, and anybody trying to allow web uploads on a shared server, on any software package, is vulnerable. There’s no way around it.

    The confusion is because doodlebee said
    “The problem here is that *WordPress* doesn’t set permissions for *anything*.”

    My question “How is this secure?” was sort of a rhetorical question. It’s not secure.

    WP doesn’t.
    Your webserver did when it created those directories. It based them on the parent directory.

    I understand now that WP technically doesn’t set the permissions, but WP enables it by requiring that the parent directory be world-writable in order for the uploads directory to be created by the server.

    You know what, I finally get it. And for me, having the ability to upload photos via the dashboard is simply not worth the risk.

    Moderator Samuel Wood (Otto)

    @otto42

    WordPress.org Tech Dude

    but WP enables it by requiring that the parent directory be world-writable in order for the uploads directory to be created by the server.

    You don’t have to let WP create the uploads directory. You could have created the directory yourself and give it any permissions you like.

    But regardless, those directories still have to be world-writable for WP to write anything to them in the first place. This is the way permissions work.

    Moderator Andrew Ozz

    @azaozz

    WordPress Dev

    Moderator Andrew Ozz

    @azaozz

    WordPress Dev

    The (more) secure way of uploading anything is http://ftp... Even you can get a hosting plan with an anonymous ftp account if you need that. Uploading through the web is way less secure than ftp and depends a lot on the shared server configuration. On my test install (Ubuntu LAMP on an old 400MHz PC configured with 5 accounts) all WP directories are set to 755 and I still can upload through WP.

    On my shared hosting account, directories are at 755 and everything works fine as well.

    Which was the point I’d tried to make about 15 posts ago: Servers are configured in many ways… some much more “friendly” to this sort of fun stuff 🙂

    But lo and behold, the newly created directories…
    wp-content/uploads/2007/04
    wp-content/uploads/2007
    wp-content/uploads
    …now have permmissions of 777 and are owned by nobody (the server).

    That means your could set the permissions to 700 and only the web server (including WP) will be able to write to them. That sounds pretty secure to me.

    Bobcat, It’s not secure if someone has hacked into the shared host somewhere because they have server rights. They have free reign. Furthermore if I set permissions to anything other than 777, WP will NOT upload anything because I don’t have world-writable permissions on the Uploads directory.

    Furthermore, setting permissions to 700 results in this error…
    “Warning: is_dir(): Stat failed for /home/xxxxxx/public_html/blog/wp-content/uploads/2007 (errno=13 – Permission denied) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 970

    Warning: is_dir(): Stat failed for /home/xxxxxx/public_html/blog/wp-content/uploads (errno=13 – Permission denied) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 970

    Warning: Cannot modify header information – headers already sent by (output started at /home/xxxxxx/public_html/blog/wp-includes/functions.php:970) in /home/xxxxxx/public_html/blog/wp-includes/functions.php on line 1219
    WordPress

    Unable to create directory /home/xxxxxx/public_html/blog/wp-content/uploads/2007/04. Is its parent directory writable by the server?”

    The only way to upload on my server through the dashboard is with 777 permissions.

    Time to move on.

    As well, setting my uploads folder on a test install to 700 fails to allow display of graphics previously uploaded by ftp, stored in specific folders, and called by a normal link in a post.

    Too bad too, because that would have been really nice.

    “It’s clear to me from reading about this issue a lot, both here and other forums and websites, that this is a big problem on WordPress Blogs.”

    Not quite correct. This is a big problem with all web applications which allow file uploads.

    I belong to the non-programmer camp, but I know Gallery2 (G2) wants you to put your “data” folder (where you upload files and photos via the admin/dashboard) above/behind the public_html folder so it’s not viewable with a browser. But G2 uses those photos of course so they’re viewable on your G2 site.

    Would this be an option for WP? To put the uploads folder above the public_html folder? (Where other folders live e.g. “etc,” “mail,” “.spamassassin” etc.).

    I realize this probably isn’t an option we can set up ourselves, but maybe it’s an idea for the coders who create WP. Of course, they probably learned this trick in kindergarden and there’s some reason they’re not doing it. 🙂

    But thought I’d mention it as I have this same issue. Soderlind’s forum’s has a post that has a solution, which I’ve tried with varying success.

Viewing 15 replies - 16 through 30 (of 41 total)
  • The topic ‘[Resolved] WP 2.1 Hacked via Uploads Directory’ is closed to new replies.