3

We got hack because of a bad security on our server. The hacker got access of the database probably from a php file holding database credentials in the html folder. The /var/www/html folder had root privileges and 777 permissions. Could the hacker have had injected anything outside the /var/www/html folder? Do we have to reset our server, or proper security would do?

Note that we already changed permissions and ownership of the html folder and files inside. We also changed the database credentials and implemented some MySQL security. Also blocked all ports except for the http, https and ssh port (change the ssh port as well)

Cayenne
  • 45
  • 2
    There's never a way to be sure. Nuke the server from the orbit and reinstall if you had backup or start over again. – Sergiy Kolodyazhnyy Jan 29 '19 at 14:56
  • It depends how they got access to the server. Maybe they managed to discover some user's password that has sudo access. In that case, I would assume the worst. – Dan Jan 29 '19 at 14:56
  • 1
    It is not right on the topic, but here are presented few ideas about Apache's security improvement: I need rules to drop some malicious Apache connection – pa4080 Jan 29 '19 at 16:05
  • seems the only way they got there is from the permissions, there were no other sudo users than root and we didnt have a backup. Since there was no backup, its gonna be a pain to reconfigure everything that's why I need to if they were able to get past the html folder. What do u think? – Cayenne Jan 29 '19 at 19:38

1 Answers1

1

Assuming you're using a basic Apache2 setup, all apache2 processes and PHP code executed was ran as the user:group www-data:www-data which limits where it can write data. An attacker would likely have access to:

  • Your SQL databases since the credentials very likely had to be stored somewhere www-data could read, otherwise your web-app (eg. Wordpress) wouldn't be capable of connecting to your database.

  • Any files in your /home/* directories, except files where permissions were 600 or similar, such as SSH keys. This means an attacker wouldn't have access to your SSH keys under most circumstances.

  • Any API tokens ore other files stored in /var/www/html

  • Any configuration files in /etc that didn't have restricted permissions. It's worth noting that /etc/letsencrypt/live has restricted permissions and cannot be read via www-data so your SSL keys should be safe.

In any case I would suggest distrusting any credentials on the system, such as SSH keys, API tokens and issuing new SSL certificates to be safe. You can so do a find / -group www-data to see any files created by www-data since there could be some random areas writable such as /tmp, places PHP sessions are stored, /var/run, etc.

Kristopher Ives
  • 5,509