SERIOUS PROBLEM! I think a hacker got in somehow!

I have no idea what the hell happened!  I woke up in the morning and I saw ALL the photos are gone.. including avatar, videos, games etc etc  and some other stuff too. I think they got in folders that have permission 777. everything else like database and all other folders with 755 and 644 are fine.  Luckily, i do have a backup but I need to know what's the best way to stop this.  So should i change all folders to 755?  What will happen if i change /modules/boonex/photos/files  to 755?  Can members stil upload or no? I'm not sure what to do here.  :/

I think you may switch file permission to 644 and folder to 777 like now

folder is writable, but files no

Will that prevent a hacker removing my photos again if i leave modules/boonex/photos/files  to 777?  :/

no file must have 644 permission folder 777

If the haker can launch shell scrip can do evrithing, this also depends on your provider!

Oh okay.. so you're saying that /modules/boonex/photos/files.   I should change 777 to 644?

With this, they can upload photos.  right?

This seems to be a serious problem in the script.. Hopefully we can resolve it asap before more people get in trouble..

It looks more like a user-end problem to me. I recommend you (OP) read the installation document for the proper permission settings for your server. Also keep in mind that someone could have gained access to your site through several different methods, such as careless management of your hosting account and FTP passwords.

No. Without world write, then photos would not be able to be uploaded. Execute can be off for world and group, so 766 is the minimum. 755 is not writable by the apache server so it will not be suitable to directories that have to allow uploads. But a writable directory also allows deletes, so it's a cache 22. Dammed if you do, damned if you don't.


Best you can do is make sure your server is fully up to date with all security patches, shut down any un-needed services, change your FTP and SSH passwords regularly with very complex passwords containing a mix of upper and lower case letters and a couple of numbers.

Go through the servers logs. You may find how the files were removed. Go through apache, ssh and ftp log files or any other relevant access logs.

I have the same problem

my members profiles are missing all the photos the same for events, blogs etc take a look

and I have backup but when I upload the backup still missing the photos so I replace the old backup still the same

any idea why is not reading the images

Yeah.. that's what happened to me. someone told me that it's possible that someone uploaded some kind of script via file module or photo and run the script and scan all the files that CAN be removed.  I looked at every single 777 folder and all the files in them are gone. I'm talking about ALL files in ALL 777 folders. Who have time to go through them and remove them manually? so, no I don't think a hacker got into my server with my password. If he/she did, he/she would remove A LOT more than just files in 777 permission folders.  man this is not good.

I thing this need to be fix

when member upload something i nthe site admin need to accept this files before something stupid happen to the site

must files need to be check by admin

Oh another thing... i have two backups in my live sites.  example...

I'm running mysite.com right now

My two backups are in mysite.com/test1 and  mysite.com/test2

test1 is just my test site. i test.. fix.. copy over to live site.  and test2 is not accessable.  All the files in 777 folders in test1 and test2 are gone too.  I find it a bit strange.   Luckily i do have a backup which is outside of the main root and all the files in 777 folders are there.  to me, it sounds like something that person did and POOF all the files in www folder were gone.  It's no way they could do that one by one manually.. even via fpt.  we need to know how they did it.

yeah good idea.. I don't want that file modules anyway. I'll disable it in membership level.. I don't know if that solves the problem. :/  Pretty scary

I Install the files modules but

no one can use the files link or upload because is disable by membership only admin can upload files

only my members can upload videos, photos, and sounds

I have 3 backups and Still don't know why when I put theses photos back so everyoen can have the photos back in profile still not working members still missing photos in profiles

damn this is scary

The following article might give some ideas about what to do with 777 file permissions

http://www.dionysopoulos.me/blog/777-the-number-of-the-beast

The perfect shared host runs on suPHP

This is the ideal case, when your host's servers run on suPHP, like Rochen does. suPHP is a very clever workaround to the permissions problem. Instead of running PHP under the web server's user and group, it runs PHP under the owning user and group of the PHP file. This means that only the first number of the permissions is important, while the second and third ones can be set to 4 (just read) or 5 (read, browse) for directories. Don't use 0, as you'll be denying access to non-PHP content, such as images, Javascript and CSS files. In this case, the perfect permissions are 0644 for files and 0755 for directories, which you can set using your favourite FTP software.

If unsure, there's an easy way to figure out if your host runs on suPHP. Go to Joomla!'s administrator back-end and click on the Help, System Info menu item. If the “Web server to PHP interface” reads CGI or FastCGI there's a good chance that your host is using suPHP. Just ask them.

Amen to this I have been running suPHP on my shared server from the get go and have never seen that problem

Thanks for posting this!  I think this is exactly what i need!  I'm running a dedicated server and i don't quite understand the last part.

"You can edit Apache's configuration file and do something magical. Configure Apache to run under the same user as the owning user of the one and only site you're hosting. That's right. It's that simple. From that point, you can simply use 0700 permissions for directories and 0600 permissions for files."

I have Webmin so what exactly do I have to do to configure Apache?  Can anyone help me a bit on this.  I think this will STOP it. :)

 Patrick do you have cpanel/whm on your server?

Fohh sorry Patrick didn't catch the webadmin..sorry cant help you with that I run cpanel/whm. You might try DosDog

No.. i just have Webmin... it's almost like cpanel but doesnt have a whole lot of features.  it does have "Apache Webserver" where i can configure Apache.  Where should look for to change?

Look for suPHP and enable it also look for cgi / fastcgi and enable that

does suPHP for shared server only? I'm not on a shared server. i'm running a dedicated server. In the article, i think i have to do something differently for a dedicated server. I dunno.. correct me if i'm wrong

 Probably right I would do a search in google for how to setup suphp in webmin..I know you'll find the answers your looking for.

You can change what user and group apache runs as in the config file.

I can only tell you what to edit for redhat based servers. That would be redhat, centos and fedora.

First get to a root shell.

Stop the apache service.

service httpd stop

The config file is found in /etc/httpd/conf/httpd.conf

Then in that file look for

User apache
Group apache

Change apache to the user you want it to run as.

start the server.

service httpd start


But yea, if you can get suphp installed, your most likely better off with that then trying to manually secure your server.

I also believe centos and redhat enterprise do not have suphp installed by default, i don't even believe that it is available in the default RPM repositories. So you may need to get it else where.

If you have redhat or centOS, ask DosDawg, he will know.

bummer!  I'm running linux debian. Will this work on debian?  okay i'll dosdawn.

Not exactly. Debian based system have the files in a different spot.

/etc/apache2 i think is the folder.

But i am not entirely sure, but i am sure you can find that info through a google search.

I found a mistery file in modules/boonex/photos/data/files

File call: ziYoZSKs

File Size: 402MB

is this normal or WTF

No. Only images should be in there.

Wow

Thank's for telling me man

I download the file to my PC

but I can't open the dam file to see wat is inside

I scan the files with Avats Antivirus no virus found

what's the file extension and when was is created

I thought i already explained that.

get_image/file is not a path or folder or directory or whatever you want to call it. It friendly url parameters passed to a class in the photo module.

get_image translates to the actionGetImage function located in the module BxPhotosModule.php that function takes 2 parameters. one peram is file and the other is the 1f9046ed22a818d9d044879bf3303c43.jpg

And that file name is not a real file name. It is the hash stored in the database.

I know the explanation is not going to help you. It not easy to explain. But the url is valid. as i pointed out in another forum topic.

quick question.. how do i know i have suPHP or not.  it should say it in phpinfo   right?

this would be my first guess. also if you are on a dedicated or vps, you can read the logs and the logs will say when x was removed, and it will show an IP address of who was logged in.

this would be my first guess, is that there was some loose security in regards to your login credentials....

i have provided an answer in a little more detail to one of the members on this thread who sent me an inquiry.

unfortunately, there is no quick and fast answer on this. if you are not familiar with the server setup, and if you are not taking all steps as recommended by boonex for setting file permissions on this application, you are pretty much setting yourself up for collapse.

server security hardening specifically on shared environments is not an easy task, reason being, is that those shared servers in most cases have the need to run several different scripts with several different variants, so securing just for dolphin could break several other scripts. now that would cost them clients, so they opt for global configs that are more in tune with generalized scripts such as wordpress and joomla, which can basically run on any environment, not saying that because it can run on any environment its secure, because the security is then placed in the hands of the site owner, and not so much on the server.

sys admin and server security is a never ending battle, and there are those of us, who invest heavily time and money in ensuring our clients are as safe as they can be.

Thank you DosDawg! I read the email.  I'm running Debian on a dedicated server and i only have webmin. I do not have cpanel or anything like that.  My fpt password is something like this "DfesD3#$SdfS#dsdfmll!76^%"  I never remember it. I just copy and paste every time i log in.  I believe it's not the password. Denre posted this url link - http://www.dionysopoulos.me/blog/777-the-number-of-the-beast and it says it all.  I believe I have set them in the correct permission level. Boonex recommends me to set 777 for some folders like boonex/photos/data/files, boonex/avatar/data/images  so on  but deano told me i should try 766.  Hmmm what is the best way to do it?  777 seems like a "back door" for anyone to go in and destroy the files.  I know it has to do with 777 but i'm not sure how they did it.

for example.  I have aramis Inviter mod.   I have to set "tmp" folder to 777 in modules/aramis/inviter/octazen/invitre/tmp/ and the two folders (ozstate and ozupdate) in tmp folder are gone.

It's a long path but why would anyone go that far and just remove the 2 folders.. why not just remove the entire aramis folder?  it's pretty clear that this hacker has some kind of program or script that does the work automaticaly. Not just aramis folder.. i'm talking about ALL folders with permission 777 in the entire root folder.  it's like.... "scan... find 777 folder.... remove files".

Hmmmm.... i dunno man.. i THINK suPHP may stop the 777 situation. I can be wrong but suPHP does make sense tho.  Is suPHP hard to install without cpanel?  i have been asking around and one guy (who is not boonex user) offered me 80 dollars to install it.. I looked at the instruction and I don't think it's that complicated.  I just don't want to do it myself for the first time.  You think $80 is too pricy?

In a case of hack attempt hacker will get access to ALL your files if you have suPHP.

suPHP makes sense on shared hosting only, to prevent one user to not upload files to 777 dirs of another user. But this problem can be solved with base dir restriction on regular setup.

Also suPHP makes your site slower and you will no be able to use any php accelerator!

I suggest to check 3rd party modules. There is no such known issue in Dolphin 7.0.3.

Ask your hosting support to check related log files to help in identifying the source of the problem.

Switching to suPHP can make things worse - since hacker can get access to all your files, but not files in 777 folders only.

awww... Where have you been?  It's been 2 days.  :/  Okay I will tell the server guy about this.  It's easy when people say.. "well no one has been attacking to my site so I'm fine."  Of course it's fine because they haven't done it to them....... yet.

What are the 3rd modules?  please tell more.

Thanks

By 3rd party modules Alex means any extensions that you might have added to Dolphin apart from the default package, such as those sold here at Unity. Also, if possible, try to turn them off and see how it goes.

For someone who's pinning security problems on third party modifications, you sure are busy making security-related fixes today.

Hmm okay it doesn't make sense.  What does it have to do with 777 access?  I'm speaking of all "777" folders including boonex modules.  I don't know what's going on but i have one guy looking into my server and searching for weakest spots.  I really hope it will not happen again. I'm telling ya.. It's SCARY. :/