PHP injection on 777 file

Question

Some one has modified a PHP file, which had permissions set to 777, on my VPS server.

How can someone do that without administrative access to the server?

What information I can give you?

I know nothing was modified through FTP or through the Kloxo control panel. So PHP would be the only way?

How can the 777 permission allow someone to modify a PHP file on a web server?

Someone can not, in fact, access your server without access to your server. — Cory J, Feb 11 '13 at 19:28
Cory, possibly not helpful but you get the ups for the cut of your jib :-P — grauwulf, Feb 11 '13 at 19:33
"PHP injection" is not a real vulnerability. Someone modifying files on your system is the result of a vulnerability. — rook, Feb 11 '13 at 20:19
@Rook, I'm sorry... Maybe I misread that. "Runtime code injection isn't a 'real' vulnerability?" You may want to take that one over to academic.so, I think you have a new thesis statement there. — grauwulf, Feb 11 '13 at 21:04
@grauwulf The OP didn't say anything about run-time injection... also, if you where to hijack an eval() I still wouldn't call it PHP Code Injection... it doesn't sound right in my mind. — rook, Feb 12 '13 at 19:32
@Rook, fair enough. On the whole I would agree with you in relation to most scripting languages but PHPs capacity to demolish an application or even a system elevates it to full fledged evil in my mind. Different strokes for different folks I guess. — grauwulf, Feb 12 '13 at 20:50
Do not completely change your question like this! If you want to ask a different question, use the “Ask Question” button to create a new post. Not that what you wrote in your completely changed question was on-topic or answerable (far too little information, and not security-related). — Gilles 'SO- stop being evil', Feb 13 '13 at 13:59

score 9 · Answer 1 · answered Feb 11 '13 at 19:42

The "777" is octal for local permissions in the Unix sense; this means that the file can be written to by any process on this machine (all users have read and write access to the file). This is local: this is about access rights for process which run on the machine. Someone from the outer world does not have, by default, the possibility to make arbitrary process run on your system under any user ID.

However, you say "PHP", which means that you operate a Web site with PHP enabled. Thus, you may have a security hole in your site which allows an attacker, with the help of maliciously crafted requests, to trigger a file write operation where the attacker can choose the target file. The operation will be performed by the Web server process, with the user ID under which that process runs (e.g. www-data -- that's what it does on my server). Since the target file is "world-writable", the write succeeds. The "777" access rights are not the security hole here, but they help the attacker by giving him ways to exploit the hole into further mischief.

(This is all guesswork. You are not exactly giving me a lot of information here.)

the password is too hard to hack? is something like this rHDqiZyEZhY — Costel Cocerhan, Feb 12 '13 at 15:36

score 2 · Answer 2 · edited Feb 13 '13 at 18:10

The reason someone was able to modify your file is that the 777 permission set gives full read, write, and execute to all users who interact with that file. In your case it is most likely that someone used your php script, or a different one, to edit your files on the server. Sadly; PHP has many functions that allow this type of manipulation (i.e. everything in the exec family). To avoid this type of problem in the future you will need to carefully review your file permissions as well as your PHP scripts.

Without those scripts, however, I'm afraid that SO will not be able to provide much in the way of directed guidance.

PHP injection on 777 file

2 Answers2

Linked