Member Avatar for pjh1985

Hi, I have a website that keeps getting hacked allowing them to upload a phishing website and i was after some advice on how to stop it.

The site is a dynamic website and after reading a guide i have added some code to the htaccess file to stop any requests for pages with http:// etc in. I was also going to change the chmod settings to stop access to certain directories.

So, I was wondering what should I be setting the chmod settings too? and is there anything else i can do to reduce the risk of this happening again.

I have a folder for the main site pages etc, a userfiles folder where images etc can be uploaded too and then several different scripts type folders. I imagine the userfiles folder would need to be left with unrestricted access but im unsure about the rest.

Any help would be great!

  • 2 Contributors
  • 1 Reply
  • 226 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by vectro
Member Avatar for vectro

I was wondering what should I be setting the chmod settings too? and is there anything else i can do to reduce the risk of this happening again.

The problem with changing directory permissions is that they might cease to function properly on the web. For example, setting -x can prevent them from being accessed by anyone. Taking away read permissions from user, group or world could do the same. User should have write permissions, but group and world should not. The only thing needed for directories should be chmod g-w if they're not like that already. To simplify, chmod 755 is appropriate for directories.

I have a folder for the main site pages etc, a userfiles folder where images etc can be uploaded too and then several different scripts type folders. I imagine the userfiles folder would need to be left with unrestricted access but im unsure about the rest.

I'm not sure what language you're using, but I can comment if it's PHP. This is tricky and the way in which Apache uses PHP makes a difference. Handlers like suphp and fcgi will make a huge difference here. Either one will enhance security where directories and files need to be written to via PHP web applications. They each force PHP scripts to run as the user who owns them instead of allowing them to run as the 'nobody' username that Apache uses. This means files DO NOT have to be world writable for a PHP application to write to them. They only need to be writable by the user. The suphp and fcgi handlers eliminate the need for chmod 777 of directories and files which need to be written to by PHP scripts.

Edited by vectro because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.