File Permissions get changed

Client Joined: Dec 04, 2004 Posts: 757

Hello all, I have had a problem with my files permissions get changed so my website cant be accessed and I get an error like this

Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

--------------------------------------------------------------------------------

Apache/1.3.37 Server at battlefield-2.sea-fishing.org Port 80

This has been going on for months and is big pain!
I have to email my host each time so he can put the permissions back
as thats not possible my end, he explains to me its someone hacking my site but I have no idea how they could do this? basically the site is a sub domain well one of many and all the other sites and the main one are ok??????

Has anyone else had this happen to them, this is becoming a regular thing.

thanks for any help all
Cheers
mrix
p.s I have the latest 7.6 patch with the latest sentinal

Posted: Sun Oct 08, 2006 4:02 pm

First thing, are you able to ftp and change the permissions, if not then you have a hosting problem.

Now if a hacker can get into your cpanel or whatever is provided, then you have an issue with hosting.

Ive decided not to continue with any further examples, Basic hosting security is a VERY important thing to use, Id ask the host if he has dir_protection enabled which will prevent the script or hacker direct input from accessing above your root, It also keeps your site secure from altering other sites(to a point). There are so many different things someone should look BEFORE they get a host and changing permissions is something that noone should have the ability to do from a browser point or script even though some coders believe different, This is all my opinion, Id sudjest another host. Ravens is excellent and some others here are as well.
I can only speak for myself and I know my hosting will NOT allow a script to change permissions but the client can from ftp or cpanel.

Look out for other changes as well, this seems to be a conflict with the server itself and not your error or something you can stop.

Posted: Sun Oct 08, 2006 4:04 pm

I can not change the file permissions my end and my host is Raven!
Cheers
mrix

Posted: Sun Oct 08, 2006 8:27 pm

If you are Ravenswebhosting then you should be able to go in thru Cpanel and use their file manager and change any permissions. If you have a problem doing that you should email Raven. You should also be able to use FTP to change permissions. When Raven set you up I'm sure he would have emailed you the accounts and passwords to get in to do those things.

I've seen some problems with, for instance, Gallery software where the ownership and permissions for certain directories get fouled up. Usually once they get straightened out things will work okay but you really need to work with your Host to diagnose the situation and get it permanently fixed. Your host has the ability to "recursively chmod or chown" a whole set of directories which you don't have and he knows a lot more about the technical aspects of this than you (or I) do, so contact him and be a little patient and things will get worked out.

Posted: Sun Oct 08, 2006 11:58 pm

Well I am very disappointed to get this message from Raven today

Quote:

You have a hole somewhere in your different modules that is allowing them to hack you. I will correct it once again, but if this keeps happening I will have to start charging you

How long does it take to add my file permissions back??? and why cant I do it myself then I wouldnt have to email him? I have ftp access yes but I dont have permission to change the files back! and its the same when I go in cpanel!!!

thanks for your comments maybe time to change host Question

Posted: Mon Oct 09, 2006 6:57 am

I doubt that you will find a better host. On one host that I use, when you call their help line you basically get someone "helping" who has had an introduction to computers course and then maybe you can get it "bumped up" to someone who might have a college level course or two and a year's experience.

My recommendation would be that you let Raven help you out of this situation and follow his advice to find whatever "hole" is in your modules and get it plugged ... which probably means eliminating it. I can't tell from looking at your site, but do you even have Sentinel installed -- not that it's going to plug a vulnerability in an addon module.

Posted: Mon Oct 09, 2006 7:19 am

Quote:

My recommendation would be that you let Raven help you out of this situation and follow his advice to find whatever "hole" is in your modules and get it plugged

I am not getting any advise at all Confused

Basically there is a hole in a module which means not a lot to me Confused

All I am being told it that I will have to pay if I want file permissions put back Confused

How can support be much worse anywhere else??? Laughing

Cheers
mrix

Posted: Mon Oct 09, 2006 7:33 am

No one here is going to get involved in your relationship with your Host.

We could try to help with what's ailing you with Nuke but you would have to provide more information first.

What version of Nuke are you using? Are you using Sentinel? If so, what version? Forums and version? In addition to the modules that come with your Nuke distribution what other modules are you using? I see from your site that you have some kind of "interface" to IRC? How is that done? You seem to have a bunch of games on your site ... what software is used for that and where does it come from? It could very well have vulnerabilities.

The fact that you are getting hacked as persistently as you first reported indicates that someone is "breaking into" your site. Unless you've given out FTP accounts and passwords to others, the most likely avenue for the attacks is insecure software such as modules. Your host can't protect you from that and neither can anyone on here. We can help you identify it but you'd need to provide more information first.

Posted: Mon Oct 09, 2006 7:45 am

my version of nuke is 7.6 patched

I have the latest sentinal NukeSentinel(tm) 2.5.00

I have the latest forums phpBB 2.0.21

I was told by raven that the problem I had was at first to do with the forums so I paid him to add GDAuth to it but that still didnt work Sad

.

There is no "interface" to IRC just a link to where to find our IRC

I have never once give my FTP user and pass to anyone and I would not be that stupid to do so.

I basically only use a BF2 Leaderboard module to show stats

Cheers
mrix

Posted: Mon Oct 09, 2006 9:09 am

The Forum fix was because that's one of the most prevalent means hackers are trying to use to break into sites.

If the BF2 Leaderboard is the only non-standard module then that's where I would look first for a security exposure. Maybe if you can identify a time span in which your system was compromised you could look at your access logs and figure out how they got in. I know that on Raven's hosts you can download your logs and look at them with an editor.

You might check out the forums in the nuke4gamers site. I just paid a quick visit and their are complaints of trojans as well as postings about the site itself being hacked. Doesn't give me a warm fuzzy feeling but I don't have time to pursue it further.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

mrix wrote:

Well I am very disappointed to get this message from Raven today

Quote:

You have a hole somewhere in your different modules that is allowing them to hack you. I will correct it once again, but if this keeps happening I will have to start charging you

How long does it take to add my file permissions back??? and why cant I do it myself then I wouldnt have to email him? I have ftp access yes but I dont have permission to change the files back! and its the same when I go in cpanel!!!

thanks for your comments maybe time to change host Question

Change hosts and you will just be transferring the problem - your setup. It's not a hosting issue. I haven't read the posts after this one, but I will. As Paul Harvey would say, "And now the rest of the story". You have left out some very important details. When you first started having this problem, I told you that you were being hacked and told you that you needed to update all of your third party applications, especially your forums. The forum admin module is how this has been being done on other sites and I have told you that. The script (of which I have a copy) is able to change the perms to 000 which make it only accessible to a sysadmin. I've told you that before. It's not so much a matter of how much time it takes me, it's that you haven't done what I told you you needed to do weeks, if not months, ago.

I don't like having to address this in public but you forced the issue. Not all problems/cures are Host related. The webmaster/site-owner has certain responsibilities also.

Posted: Mon Oct 09, 2006 10:57 pm

mrix wrote:

Quote:

My recommendation would be that you let Raven help you out of this situation and follow his advice to find whatever "hole" is in your modules and get it plugged

I am not getting any advise at all Confused

Basically there is a hole in a module which means not a lot to me Confused

All I am being told it that I will have to pay if I want file permissions put back Confused

How can support be much worse anywhere else??? Laughing

Cheers
mrix

I have given you tons of advice and specific answers. I have told you what module is probably at fault and told you to update it, which you have yet to do. This is not a support issue - it's a webmaster's issue.

Posted: Mon Oct 09, 2006 11:02 pm

mrix wrote:

my version of nuke is 7.6 patched

I have the latest sentinal NukeSentinel(tm) 2.5.00

I have the latest forums phpBB 2.0.21

I was told by raven that the problem I had was at first to do with the forums so I paid him to add GDAuth to it but that still didnt work Sad

.

There is no "interface" to IRC just a link to where to find our IRC

I have never once give my FTP user and pass to anyone and I would not be that stupid to do so.

I basically only use a BF2 Leaderboard module to show stats

Cheers
mrix

You paid me to address a certain problem that many users on your server got hit with. So, I installed the CGIAuth code as that was what it appeared from your symptoms. I have repeated afterwards, if you have done what I have told you, your next step is to review your server logs to see where the script is being executed. It could be your forum or a photo or a chat script. Anything that allows, whether by design or by flaw, upload capability. If it were a server issue, trust me, there would be much more damage than just one folder.

Posted: Mon Oct 09, 2006 11:08 pm

fkelly wrote:

The Forum fix was because that's one of the most prevalent means hackers are trying to use to break into sites.

If the BF2 Leaderboard is the only non-standard module then that's where I would look first for a security exposure. Maybe if you can identify a time span in which your system was compromised you could look at your access logs and figure out how they got in. I know that on Raven's hosts you can download your logs and look at them with an editor.

You might check out the forums in the nuke4gamers site. I just paid a quick visit and their are complaints of trojans as well as postings about the site itself being hacked. Doesn't give me a warm fuzzy feeling but I don't have time to pursue it further.

Bingo! Exactly what I've been saying from the beginning - get and examine your logs.

I will leave this thread open for a while but I suggest you get your logs and examine them. Also I told you that you needed to check places like Secunia (maybe not that one specifically) that announce exploits to see if you have any of those applications. Also, check the home pages and forums of all of your third party applications. And keep in mind that it doesn't have to be in the addon domain that gets hacked. It could be in your root folder and allowing him/her access to everything.

Posted: Mon Oct 09, 2006 11:53 pm

Just a quick comment to praise the level of support that Raven provides. Very knowledgable and responsive.

I am sorry mrix is having so many problems. The advice everyone gave (analyze those logs during the break in) is good.

I use ws_ftp pro which makes it easy to change the permissions on entire folders and their contents.

Kitty
http://OpenSkyWebDesign.com

Posted: Thu Oct 12, 2006 1:28 pm

Quote:

third party applications, especially your forums. The forum admin module is how this has been being done on other sites and I have told you that

this is totally untrue my forum has always been up to date!
you explained I was being hacked yes and you explained that I needed the GDAuth adding to the forums of which I paid you too do that and I still have the problem. Now you say its something else.

Quote:

The forum admin module is how this has been being done on other sites and I have told you that. The script (of which I have a copy) is able to change the perms to 000 which make it only accessible to a sysadminquote

If you know a script that causes this and you say its now the forums thats doing it why are you not helping me? I am not a tech head when it comes to phpnuke. Thats why I got your hosting for support!
I have installed the latest forums latest sentinal.

Posted: Thu Oct 12, 2006 5:19 pm

I have told you these things all along. The script is not stored on the server or I could remove it. The hackers can run the script against a vulnerable script on your site. I have no tool nor anyway of knowing what script of yours they are exploiting. Have you downloaded your server logs as I have suggested many times and is suggested in this post? That's what you need to examine.

Posted: Thu Oct 12, 2006 5:23 pm

Basically I run phpnuke 7.6 it has the latest sentinal and the latest phpbb forums when it comes to logs I dont really know what to look for as its all double dutch to me unfortunately. The best I can do is shut down certain modules and hope that helps but anything too technical its really behond me.
Cheers
mrix

Posted: Thu Oct 12, 2006 6:04 pm

You willsee entries like this

Code:

85.99.81.93 - - [12/Oct/2006:19:58:03 -0400] "GET /topsite/images/button.jpg HTTP/1.1" 304 - "http://www.sohbetbar.com/toplistler.htm" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"


68.52.96.55 - - [12/Oct/2006:19:58:06 -0400] "GET /topsite/button.php?id=93 HTTP/1.1" 302 5 "http://www.tackletour.com/menuwatercraft.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

Look for any links that shouldn't be there or anything that just looks out of the ordinary. Especially look around the time that you noticed the permissions changed.

Posted: Thu Oct 12, 2006 9:05 pm

Boy, This makes me feel a bit out of place, Sorry Raven if my comments offended at all, not that it seems you have implied that they have.

mrix, I must say that my comment was based on the post you provided and with that knowledge, I jumped to conclusions, My apologies all around.

On this note, Raven is without a doubt the one host Id recomend over myself and others I know. Now that your host has been forced to publically handle this, I hope you obtain the desired results.

IMO as simply a member who does not speak for Ravens site, hosting or affiliations at all, To see a client take this out of the hosts hands and post in a forum is a very disconcerning thing. IMO you should always handle site hacks and such of this nature with as much discretness as possible.

If anyone takes offense, I felt it necessary to make sure that my statements were retracted, without editing. Sometimes we learn best by others mistakes and tally one up for me, DARN I was looking to be perfect. There goes my ego killing me

One more for the record, It is the hosts choice as to what they allow, Some of my clients lose funtionality because I do not allow certain things in my environment so That is a choice the host is forced to make, functionality or put it in the webowners hands, I hope you understand that my choices do not reflect another hosts and should not be addressed as such.

Posted: Thu Oct 12, 2006 11:44 pm

darklord,

I did not take your remarks in an offensive way. And I am sorry that this all went public because I have done all that I can. I understand the frustration of the client, but bringing it public when I have done all that I can didn't/hasn't/won't help to remedy the problem. If I had someway (anyway at all) of detecting this, I would. I have thought of a few things I could st up for monitoring and I may try them when I can. I still feel, at this point, that the logs need to be gone over and try to spot anomalies. I have a couple other things that I am exploring.

Posted: Fri Oct 13, 2006 12:16 am

The last thing I want to do is slag off anyone but this problems has been going on for a few months now and when I had the last reply from you Raven saying "if the permissions thing went on you would start charging me etc" with my frustrations it made me see red etc.

When an updated sentinal is released I will update almost on the day and if a phpbb forum update is released I will do the same . I do my best to do whats in my capabilities and thats not much Sad

I understand but I am learning all the time.
Cheers
mrix

Posted: Fri Oct 13, 2006 3:57 pm

Raven, I like that idea and as a host, Id like to see what you might come up with.
Honestly, I cant see a way of scanning all files on a server for exploits that come out every day with soo many different cms' available so I definatley would like to see it if you manage to come up with something.

mrix, we are all learning everyday and my words I hope were taken as advice about not taking it public.

Raven is someone who has helped this community more then most will even know. Remember that even the author is not fully supporting php-nuke so dont expect EVERY little script or code to be secured. Youve seen the layout of nuke, Its definatley complex, but hackers see it too, even the patches that MEMBERS release(not the author). So we are left with figuring every piece of nuke out for ourselves and if you read these forums, you will see php language pretty much laid out for someone to learn. These forums can TEACH, promote and support something that Raven and the others have NO responsibility to. So remember that when it comes to sites, your host provides you with this: space, functionality, SERVER security and nothing more. A host has NO responsibility to help a client on their site unless specified or agreed to. So remember that your host is doing the helping out of the kindness of their heart. IF they offer it with your package, they really dont have to offer it at all. So dont think that you are being mishandled at all. Hosts responsibility is as far as THEY say it is because in the end, the server bill, the bandwidth and so many other things are THEIR only responsibility and even that is something they dont HAVE to do.

I hope you see this as pointing out somethings that you may think your host is responsible for and not something that leaves you saying what now.
If you ask yourself what now, Talk to your host and ask your host what they could offer you, be prepared to pay, time is money and if its offered free, thank your lucky stars because they dont have to offer anything .

D

Posted: Fri Oct 13, 2006 5:04 pm

I guess I am mainly disapointed that after all this time with the sentinals and all the updates phpnuke can still be so insecure, if I had known what I know now I would never of bothered with it at all, all this messing around all the time you really need to be a pro to secure phpnuke Sad

hackers are for ever finding holes in it and have been since it was released.
regards
mrix

Posted: Fri Oct 13, 2006 9:55 pm

Ahh, now that makes me feel bad.
mrix, Im gonna tell you something, I only started messing with websites in January 2006.
Hope that shocks you lol.
I just want you to know that even though it seems very difficult, php-nuke patches, upgrades and such can be easily done once you grasp the concept, It takes time and effort but I promise you that if you apply both, you will succeed. You did something that most wish they did when they started, you found an excellent host.

One more thing, If you really think php-nuke is not the way to go, might I sudjest Ravennuke?
Your host would probably agree with me that it is a much better CMS then php-nuke with sentinel and upgrades, well your host is the main developer of it lol.

And on a personal note, most here will also offer a little assistance when needed, but first thing is for you to attempt to learn things on your own. Whats that old saying? Give a man a fish, feed him for a day. Teach a man to fish, feed him for a lifetime. Remember that your host is there, These forums are here and you are not alone in this. Finally, remember to follow the instructions and report back if you have any problems, Time is what you need to dedicate to a site, Security is a high priority(or should be), so dedicate plenty of time to that alone, let me ask you something, Lets say I hand you an OLD CMS that has been tested numerous times for exploits and none found, but one day, about a month after you get the CMS, someone finds an exploit and uses it on your site, which would you prefer, a forum and support like this OR the unknown support of another CMS?
I personally would prefer to stick with what I know works RavensScripts