WP 2.1 Hacked via Uploads Directory

I spoke with my webhost about the .htaccess “solution” and it’s not really a solution but to the most casual hacker. You see, if a hacker knows how to gain access to your webspace with user “nobody” then they will be able to modify, delete or do whatever they want to that .htaccess file. So it’s really not a true solution. Nonetheless, I have placed them in the directories that I must have 777 permissions on. I figure it can’t hurt and if if provides even a bit more protection while the directory is world-writable, then it’s worth it. But the real problem is that the hackers are coming in through the backdoor with probably some sort of rootkit installed in your webspace, so if it’s to that point, a .htaccess file won’t afford you any protection. That’s how my webhost explained it to me anyway.

Almost forgot to put this out there…

my webhost said the best solution is to run php-cgiwrap.

cnymike: thanks for the explanation of why that .htaccess file isn’t really a solution, I didn’t know that. I’ll look into php-cgiwrap.

Here’s the blurb on php-cgiwrap that came from my webhosts support area…

“php-cgiwrap is a “script wrapper” that lets your scripts execute under your own userid and group instead of user nobody and group www. It works in the same fashion as cgiwrap but handles paths in such a way that it can be used to run PHP pages under your own userid. Running PHP pages under your own userid allows you to use chmod 700 to lock out other users on the server from viewing the source code. Locking out other users can be especially important if you are interfacing with a MySQL database, thereby preventing people from obtaining your password.”

Sorry I’ve been remiss in joining in on this conversation, I’ve been unbelievably busy.

Most of the questions asked of *me*, specifically, have been answered (thanks Otto and Handy) – and I agree with their statements about FTP pretty much being the only way to fly.

I *did* want to address likoma up there:

above/behind the public_html folder so it’s not viewable with a browser. But G2 uses those photos of course so they’re viewable on your G2 site.

Of course this is an option. You can put your uploads directory anywhere you like. You tell WordPress *where* you want it in your “Options>Miscellaneous” section. However, the farthest up you can move as it’s set right now is your wordpress folder – it won’t allow you to go up any further than that.

I would imagine with some coding, you *could* get it to move up the directory tree, but I don’t know how, right offhand, to do that. But it would be possible. I would say you’d have to use something to put the images inside your database, rather than the filesystem though (which is what Gallery 2 does)

Thanks, doodlebee. Hopefully talk of these topics can help improve the situation at some release in the future. I’ve had a few sites hacked, but not *maliciously,* mostly a Turkish rapper who puts a bit of his music up there …

For the record, I’m fine with FTP, but most of my clients (who I set up on WP), can’t spell FTP. ??

Hi! I too have been having problems with turkish hackers. I’ve got about 50 websites and they have placed files everywhere, especially in the cache directory, the rss directories, and anywhere they think people will not notice. The search engines do find them and that’s how I found some of their files. I also look at the statistics and see what files people are looking at most.

This is what I’ve put in my .htaccess file, but there are way too many hacker sites to list, these are just the sites that have left their signature on my webstites.
They recently uploaded a c99 shell (back burner root kit) on 2 of my websites. My webhost didnot even know it was there. This program can change all the permissions on all the directories at once and can immitate being a different ip address. Left by Adanus // Ayyildiz Team – Bundan Otesi Ya Istiklal Ya

I deleted the 2 programs and let my webhost know what was going on but they cannot stop them apparently.

Anyway know I am working on a wordpress application but cannot figure out how to get the translation module to work. This plugin is supposed to translate the page into foreign languages and it goes to a blank page instead. Anyone know what the permissions are supposed to be on the wordpress directories? I don’t know if that is the problem or not.
I have this in my .htaccess file

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 91.186.21.73
deny from 67.43.239.87
deny from 67.43.239.90
deny from 62.68.196.25
deny from 217.172.55.49
deny from 77.232.72.95
deny from 66.11.122.198
deny from 72.9.250.162
deny from 88.255.164.146
deny from 70.47.143.45
deny from 38.99.76.15
deny from 84.16.234.244
deny from 84.16.224.38
deny from 209.126.151.24

Thanks, Deb

To add to the last post it is the
global-translator plugin from nothing2hide.net, I don’t know why it is not working.

Let me know if anyone is having the same problem.

Thanks,

Deb

Actually in wordpress 2.2 you can put a ../ inside your content upload directory I believe.

I guess it’s time somebody said RTFM. As said by someone else before: It’s not a security hole. It has nothing to do with wordpress. It’s just the way file systems work. Go invent something else.
And please don’t tell us you don’t have the time to learn about all this web mumbo jumbo and then turn around and blame someone else for your ignorance. That’s just not the way it works. You can’t drive a car, run somebody over and blame the manufacturer for that security hole. You have to learn how to drive (and hit the brakes when someone gets in your way, of course). Kind of a drastic example, but I think it gives you an idea of how I perceive your complaint.

But hey, of course I also want to help. Here’s my 5 cents for you: This discussion produced quite a few very useful hints. Hence, I think you put in a useful question. None of the hints are 100% secure. Can’t be. Combining them makes hacker’s life a little harder. And if you pick up a few more .htaccess tricks, you may never have that problem again.

Can I use external links in here? Check this site:
https://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
and check out security hint #sec14, 15 and 17 (just add the #sec14 part to the url).
Also, there is a short thread in this board here regarding .htaccess 777, which explains how to make script-files only display as plain text instead of execute.

Don’t give up! Learn!

Having just discovered that this non-security-hole has been exploited on my site, I believe the original poster was right in his concerns.

When I started getting hits on my WP-managed site for viagra, program cracks, hacks and keycodes for html files in the wp-uploads folder, I started checking around then internet to figure out what was wrong.

I would like to remind the poster above me that WP is supposed to be a blogging program that the non-computer saavy can use. It’s not a matter of learning how to drive. I know how to drive. I just don’t know how to fix a car. I’m a mom with 2 kids experiencing car trouble.. I don’t have time or energy to learn auto mechanics.

Click here for a portion of the screenshot of a google search of my page. The html pages listed were most definitely not put there by me. I do know how to change permissions, and THINK I understand what the various settings mean.

Because I don’t really understand how this happened, even after reading all of the above, nor do I understand the “fixes” presented, I have completely wiped my site and started over. I use WP on another site, though, which was not affected. I will make sure my folders are all 755. When I have a permissions problem, I’ll change the permissions for my specific folder to something more lenient, then right back when I’m done.

If anyone needs to take a look at those pages from the image referenced above, google still has them cached. I imagine a google search of “wp-upload” and one of the unsavory products will get you a live verion of that kind of thing.

Hopefully, one of you more knowledgeable folk will be able to figure out what’s going on and help folks like me.