3

We got hack because of a bad security on our server. The hacker got access of the database probably from a php file holding database credentials in the html folder. The /var/www/html folder had root privileges and 777 permissions. Could the hacker have had injected anything outside the /var/www/html folder? Do we have to reset our server, or proper security would do?

Note that we already changed permissions and ownership of the html folder and files inside. We also changed the database credentials and implemented some MySQL security. Also blocked all ports except for the http, https and ssh port (change the ssh port as well)

Cayenne
  • 45

1 Answers1

1

Assuming you're using a basic Apache2 setup, all apache2 processes and PHP code executed was ran as the user:group www-data:www-data which limits where it can write data. An attacker would likely have access to:

  • Your SQL databases since the credentials very likely had to be stored somewhere www-data could read, otherwise your web-app (eg. Wordpress) wouldn't be capable of connecting to your database.

  • Any files in your /home/* directories, except files where permissions were 600 or similar, such as SSH keys. This means an attacker wouldn't have access to your SSH keys under most circumstances.

  • Any API tokens ore other files stored in /var/www/html

  • Any configuration files in /etc that didn't have restricted permissions. It's worth noting that /etc/letsencrypt/live has restricted permissions and cannot be read via www-data so your SSL keys should be safe.

In any case I would suggest distrusting any credentials on the system, such as SSH keys, API tokens and issuing new SSL certificates to be safe. You can so do a find / -group www-data to see any files created by www-data since there could be some random areas writable such as /tmp, places PHP sessions are stored, /var/run, etc.

Kristopher Ives
  • 5,669