-
- 9 Posts
Yeah, the permissions of config.inc.php was 666. So if that is the problem, how could these permissions have let them hack the site?
-
- 9 Posts
For now, the only suspicious thing I’ve found is:
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:22 +0300] "GET /modx/assets/cache HTTP/1.1" 301 871 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:23 +0300] "GET /modx/assets/cache/ HTTP/1.1" 200 491 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:31 +0300] "GET /modx/assets/cache/siteCache.idx.php HTTP/1.1" 200 423 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:09:58 +0300] "GET /modx/assets/cache/siteCache.idx.php HTTP/1.1" 200 464 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:10:01 +0300] "GET /modx/assets/cache HTTP/1.1" 301 870 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
dsl85-98-14636.ttnet.net.tr - - [11/Jul/2006:19:10:02 +0300] "GET /modx/assets/cache/ HTTP/1.1" 304 318 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
www.zone-h.org - - [11/Jul/2006:19:10:29 +0300] "GET /modx/assets/cache/siteCache.idx.php HTTP/1.0" 200 393 "-" "Wget/1.9.1"
-
- 258 Posts
I still highly doubt that a writeable config file gave them access to your server.
What other services and applications were running on your server?
That is why I recently moved my site to a host with phpsuexec. This way my scripts run as the owner of the script (which is me) instead of the apache user, so none of my files have to be world-writable. All it takes is somebody able to get into the server, and they can write to any world-writable files they like. And if you figure that often these shared hosts have up to 400 users on one server, what are the chances one of them manages to break out of his own space?
-
- 1,495 Posts
A very interesting topic, I’ve been pondering about the security issue in MODx, which seems to me that it’s suppose to be quite secured. Lets see... Can you give us your hosting company and the plan that you use. Maybe we can investigate this further, either this is a security breach on the server or on the MODx itself.