-1

Someone is trying to hack my website, I have a website built on PHP (7)/MySQL in Laravel framework. The owner of the /var/www is www-data and folder permission is set 700 for all folders and file permissions are set to 600. Still, the hacker is able to modify the content of index.php and also he was able to delete few PHP files. The server is Ubuntu 17.04 and the web server is Apache.

I need immediate guidance on how he is able to write files in a folder which has a permission 700. I would really appreciate your help and guidance. Please let me know if you need more details to understand the problem.

Krishna
  • 1
  • 700 and 600 still allow write to the owner. Is the owner the same for the folders and files? I would check your logs to make sure no accounts have been compromised (like root). Might be wise to change passwords too. – SpiderIce Oct 16 '17 at 17:34
  • Thank you for responding @SpiderIce. So yes the only root can write to folders. I use ssh keys to log in using root, that's why I haven't changed the password, considering SSH keys login secure enough. Are you referring to Apache logs? – Krishna Oct 16 '17 at 17:39
  • And yes the owner (www-data) is same for both folders and files. – Krishna Oct 16 '17 at 17:42
  • I would check Apache logs and OS logs. (var/log/httpd/ and /var/log/auth.log) You need to find out how they are accessing your server and plug the hole. Make sure your firewall is working correctly (port scan your server). Check if your server patched on the OS and application to make sure they aren't using a vulnerability with some old code. – SpiderIce Oct 16 '17 at 18:02
  • Sorry but www-data can write to these folders and files since it's the owner, not just root. What is doing this user? running the apache server. So I'd look at some flaw in the php code of Laravel, or general Apache permissions including .htaccess – A.B Oct 16 '17 at 18:18
  • I would also review these: https://serverfault.com/questions/357108/what-permissions-should-my-website and https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server-files-folders-have-on-a-linux-webserver and – SpiderIce Oct 16 '17 at 18:42
  • Thank you again @SpiderIce, I checked my logs and git status and saw some suspicious files, which were created using a file upload functionality in my website, It was a PHP file with some malicious code and it does a lot of things like creating/removing/updating directories and files. I will need to fix this part of the website. Can you recommend me some best practices about setting up directory users and permissions on Linux? But your pointers were more than helpful. You can add it as an answer and I will happily accept that. Thank you very much for your help. – Krishna Oct 16 '17 at 19:18
  • Thank you very much @A.B for your response, it was very helpful. – Krishna Oct 16 '17 at 19:19

2 Answers2

2

If your apache server is running as a user other than www-data replace www-data with that user below.

The owner should be any user other than www-data. I use an unprivileged user that is use to update the site. Group should be www-data Permissiions should be 750 for directories and 640 for files. This will prevent apache from writing to the directories and files. If you use permissions 755 and 644, than any user on you server can read the data. This can be used to allow a third account to audit the content, possibly comparing to a reference copy of the content.

If you have a upload directory, it should either be owned by www-data or have permissions 770. Watch this carefully as it can be used to drop maiware. Configure apache to prevent execution of anything in this directory. Use the configuration file for this as it will be possible to overwrite files like .htaccess in this directory.

The above rules apply to all directories and files referenced by your configruation. Recursion counts so apply the rules using recursive configuration.

The following commands will lock down the /var/www. You can replace daemon with any user other than www-data. Change the uploads directory to your uploads directory. 

find /var/www -type d -exec chmod 750 {} +
find /var/www ! -type d -exec chmod 640 () +
find /var/www -exec chown daemon:www-data {} +
chmod 770 /var/www/uploads

Add an entry like this. See the Options documentation for details if you want some options on. 

<Directory "/var/www/uploads">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

Please note that there may be malware dropped into /tmp and any other location that can be written by www-data.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • Thank you @billthor for the detailed response. The suggestion of handling the upload directory with permission 750 and apache configuration is really useful. Though in a directory structure like /var/www/html/my-website, Who should own the /var/ directory, will it be www-data or a user from this group? Right now I have www-data as the owner of "var" directory and has a permission of 755. – Krishna Oct 17 '17 at 08:50
0
  1. I would check Apache logs and OS logs. (var/log/httpd/ and /var/log/auth.log) You need to find out how they are accessing your server and plug the hole.
  2. Make sure your firewall is working correctly (port scan your server).
  3. Check if your server patched on the OS and application to make sure they aren't using a vulnerability with some old code.

What permissions should my website files/folders have on a Linux webserver?

SpiderIce
  • 551
  • 2
  • 9