Couple basic tips if anyone cares:
- Contact your host, and ask them to, "change the suEXEC user on my domain to a separate user account". Most of these cPanel hosts have suEXEC enabled, which means Apache is running under the same user as all your files / directories are owned by. If you login via FTP with "mysite", then Apache is most likely running as user "mysite". This is a huge security hole, because it means any PHP page that gets loaded via the web browser has full permission to modify all files / directories on your domain.
For example, if you login via FTP with "mysite", then Apache should be configured to run as say, "mysite_httpd", or whatever. They should never be the same though.
- Ensure any directories you have CHMODed to 0777 (eg. /tmp/, /cache/, etc.) are NOT viewable via web browser. Modify Apache / Nginx configuration as needed, so a 403 Forbidden error is thrown when trying to view those directories.
Follow these two simple things, and I bet a lot of the hacks you guys experience stop. Right now, all people have to do is get a shared account on the same server as you, find one file on your domain that's CHMODed to 0777 (can even be a .txt file in some /tmp/ directory), and that's it. Within seconds, they have full control over your domain. They just modify the file and add some PHP code that's a remote file & database manager, rename to .php if needed, then open it up in their web browser. Since Apache is running as the same user as all your files / directories are owned by, they have full access to all files on the domain.
EDIT: Oh, and ionCube your database info. Most of these systems have a config.php file or similar. Signup at ioncube.com, and use their online encoder to code that file.
- Contact your host, and ask them to, "change the suEXEC user on my domain to a separate user account". Most of these cPanel hosts have suEXEC enabled, which means Apache is running under the same user as all your files / directories are owned by. If you login via FTP with "mysite", then Apache is most likely running as user "mysite". This is a huge security hole, because it means any PHP page that gets loaded via the web browser has full permission to modify all files / directories on your domain.
For example, if you login via FTP with "mysite", then Apache should be configured to run as say, "mysite_httpd", or whatever. They should never be the same though.
- Ensure any directories you have CHMODed to 0777 (eg. /tmp/, /cache/, etc.) are NOT viewable via web browser. Modify Apache / Nginx configuration as needed, so a 403 Forbidden error is thrown when trying to view those directories.
Follow these two simple things, and I bet a lot of the hacks you guys experience stop. Right now, all people have to do is get a shared account on the same server as you, find one file on your domain that's CHMODed to 0777 (can even be a .txt file in some /tmp/ directory), and that's it. Within seconds, they have full control over your domain. They just modify the file and add some PHP code that's a remote file & database manager, rename to .php if needed, then open it up in their web browser. Since Apache is running as the same user as all your files / directories are owned by, they have full access to all files on the domain.
EDIT: Oh, and ionCube your database info. Most of these systems have a config.php file or similar. Signup at ioncube.com, and use their online encoder to code that file.
