recently somone stole a php script from my website and has used it on theirs.
the problem is this script interacts with my db so i guess the theif can screw with my db.
anyone know what rights i need to apply to my directories to prevent execution from remote machines.

the unix code is 751 which is owner: rwx group: r-e world: --e

the same goes for the script which performs the db connection.


heeeeelllllppp

thx.

How did he/she/they manage to acquire the script? If your database permissions are properly set (only users from localhost can access it) you shouldnt need to worry about the database (you should change the username and password nevertheless).

What do you exactly mean by "prevent execution from remote machines"?

by remote execution i mean; well i'll explain better.

i have a script, lets call it master.php in that script i have require_once() which includes ro.php which is the readonly connection to my db.

this scum bag has copied all files (the php source) from my host and is running it from his host.

so the page he stole is displaying data from my db.


what i don't understand is why?? i am getting about 200 hits a day from his site but as far as i can tell all my files still exist and my db has not been tampered with.

i confused !?!

Quote:

Originally Posted by purk

by remote execution i mean; well i'll explain better.

i have a script, lets call it master.php in that script i have require_once() which includes ro.php which is the readonly connection to my db.

this scum bag has copied all files (the php source) from my host and is running it from his host.

so the page he stole is displaying data from my db.

How did you come to know he/she/they copied the files? How could it happen after all that he/she/they had access to your PHP sources?

Usually it shouldnt be possible to access a web database from something else than "localhost". Hence I would suggest to change the user which you use to access your database and configure the database accordingly.

i only found out they copied my code when i noticed the url in my webalizer refferal log.
i checked the url and found it was my page on their domain.

i don't know how they aquired my source but if they had access to my ftp server then why just duplicate one of my pages? why wouldn't they do something more malicious?

more than irritating it is confusing. so far the only effect i can see is extra traffic from their domain - as all links on the copied page still point to my domain. they changed nothing in the code.

thnx for your input neroux, puzzling eh?

[edit]...oops wrong thread...

found this article: http://www.somewhatmuchly.co.uk/90

about using .htaccess for hotlink prevention.

i have implemented that and now my problem is they still have access to my db (until i change my db user credentials).

anyone got any clues as to why they did this?

j.

how did they go in your ftp server

no idea at all. have changed all passwords now anyway but they are still able to execute my script from their host.

i've read loads on the php.net security section and i can't explain how they can still do this.

any one come across this before?

You might want to go through your server logs to see if you can determine how they got in. Definitely change all your passwords, but you may have a security hole somewhere in one of your applications that they could exploit again to find out the new passwords.

vangogh: good thinking, will do that now.

in the meantime, can someone tell me if 755 is the right unix rights number for a directory which should only be readable (and execute scripts running on any of those pages) by anyone but the owner.

Purk

purk 755 gives all rights to the owner of a folder or file and read and execute rights to the group and all others.

When the permissions are written out with the 3 digit number the first number is for the owner the second for the group and the last for all others.

Permissions ae set as read, write, execute (rwx) for each of the three types of uses. Think of the digits as the hex (or decimal) representation of binary numbers where 1 for any of the permissions means that user has it and 0 means they don't have it.

So in the case of 755 the permissions would be
111 101 101
rwx r-x r-x

755 is a pretty common setting for permissions on many files and folders. Ideally you would only give just as much permission as is needed and then prohibit everything else. Depends on the particular applications on your site as to what permissions will be needed for a given folder or file.