Can hackers inject anything to the server outside /var/www/html












2















We got hack because of a bad security on our server. The hacker got access of the database probably from a php file holding database credentials in the html folder. The /var/www/html folder had root privileges and 777 permissions.
Could the hacker have had injected anything outside the /var/www/html folder? Do we have to reset our server, or proper security would do?



Note that we already changed permissions and ownership of the html folder and files inside. We also changed the database credentials and implemented some MySQL security. Also blocked all ports except for the http, https and ssh port (change the ssh port as well)






apache2 security hacking







share|improve this question




















  • 2





    There's never a way to be sure. Nuke the server from the orbit and reinstall if you had backup or start over again.

    – Sergiy Kolodyazhnyy
    Jan 29 at 14:56











  • It depends how they got access to the server. Maybe they managed to discover some user's password that has sudo access. In that case, I would assume the worst.

    – Dan
    Jan 29 at 14:56






  • 1





    It is not right on the topic, but here are presented few ideas about Apache's security improvement: I need rules to drop some malicious Apache connection

    – pa4080
    Jan 29 at 16:05











  • seems the only way they got there is from the permissions, there were no other sudo users than root and we didnt have a backup. Since there was no backup, its gonna be a pain to reconfigure everything that's why I need to if they were able to get past the html folder. What do u think?

    – Cayenne
    Jan 29 at 19:38


















2















We got hack because of a bad security on our server. The hacker got access of the database probably from a php file holding database credentials in the html folder. The /var/www/html folder had root privileges and 777 permissions.
Could the hacker have had injected anything outside the /var/www/html folder? Do we have to reset our server, or proper security would do?



Note that we already changed permissions and ownership of the html folder and files inside. We also changed the database credentials and implemented some MySQL security. Also blocked all ports except for the http, https and ssh port (change the ssh port as well)






apache2 security hacking







share|improve this question




















  • 2





    There's never a way to be sure. Nuke the server from the orbit and reinstall if you had backup or start over again.

    – Sergiy Kolodyazhnyy
    Jan 29 at 14:56











  • It depends how they got access to the server. Maybe they managed to discover some user's password that has sudo access. In that case, I would assume the worst.

    – Dan
    Jan 29 at 14:56






  • 1





    It is not right on the topic, but here are presented few ideas about Apache's security improvement: I need rules to drop some malicious Apache connection

    – pa4080
    Jan 29 at 16:05











  • seems the only way they got there is from the permissions, there were no other sudo users than root and we didnt have a backup. Since there was no backup, its gonna be a pain to reconfigure everything that's why I need to if they were able to get past the html folder. What do u think?

    – Cayenne
    Jan 29 at 19:38
















2












2








2








We got hack because of a bad security on our server. The hacker got access of the database probably from a php file holding database credentials in the html folder. The /var/www/html folder had root privileges and 777 permissions.
Could the hacker have had injected anything outside the /var/www/html folder? Do we have to reset our server, or proper security would do?



Note that we already changed permissions and ownership of the html folder and files inside. We also changed the database credentials and implemented some MySQL security. Also blocked all ports except for the http, https and ssh port (change the ssh port as well)






apache2 security hacking







share|improve this question
















We got hack because of a bad security on our server. The hacker got access of the database probably from a php file holding database credentials in the html folder. The /var/www/html folder had root privileges and 777 permissions.
Could the hacker have had injected anything outside the /var/www/html folder? Do we have to reset our server, or proper security would do?



Note that we already changed permissions and ownership of the html folder and files inside. We also changed the database credentials and implemented some MySQL security. Also blocked all ports except for the http, https and ssh port (change the ssh port as well)






apache2 security hacking




apache2 security hacking






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 29 at 14:38







Cayenne

















asked Jan 29 at 14:29









CayenneCayenne

153




153








  • 2





    There's never a way to be sure. Nuke the server from the orbit and reinstall if you had backup or start over again.

    – Sergiy Kolodyazhnyy
    Jan 29 at 14:56











  • It depends how they got access to the server. Maybe they managed to discover some user's password that has sudo access. In that case, I would assume the worst.

    – Dan
    Jan 29 at 14:56






  • 1





    It is not right on the topic, but here are presented few ideas about Apache's security improvement: I need rules to drop some malicious Apache connection

    – pa4080
    Jan 29 at 16:05











  • seems the only way they got there is from the permissions, there were no other sudo users than root and we didnt have a backup. Since there was no backup, its gonna be a pain to reconfigure everything that's why I need to if they were able to get past the html folder. What do u think?

    – Cayenne
    Jan 29 at 19:38
















  • 2





    There's never a way to be sure. Nuke the server from the orbit and reinstall if you had backup or start over again.

    – Sergiy Kolodyazhnyy
    Jan 29 at 14:56











  • It depends how they got access to the server. Maybe they managed to discover some user's password that has sudo access. In that case, I would assume the worst.

    – Dan
    Jan 29 at 14:56






  • 1





    It is not right on the topic, but here are presented few ideas about Apache's security improvement: I need rules to drop some malicious Apache connection

    – pa4080
    Jan 29 at 16:05











  • seems the only way they got there is from the permissions, there were no other sudo users than root and we didnt have a backup. Since there was no backup, its gonna be a pain to reconfigure everything that's why I need to if they were able to get past the html folder. What do u think?

    – Cayenne
    Jan 29 at 19:38










2




2





There's never a way to be sure. Nuke the server from the orbit and reinstall if you had backup or start over again.

– Sergiy Kolodyazhnyy
Jan 29 at 14:56





There's never a way to be sure. Nuke the server from the orbit and reinstall if you had backup or start over again.

– Sergiy Kolodyazhnyy
Jan 29 at 14:56













It depends how they got access to the server. Maybe they managed to discover some user's password that has sudo access. In that case, I would assume the worst.

– Dan
Jan 29 at 14:56





It depends how they got access to the server. Maybe they managed to discover some user's password that has sudo access. In that case, I would assume the worst.

– Dan
Jan 29 at 14:56




1




1





It is not right on the topic, but here are presented few ideas about Apache's security improvement: I need rules to drop some malicious Apache connection

– pa4080
Jan 29 at 16:05





It is not right on the topic, but here are presented few ideas about Apache's security improvement: I need rules to drop some malicious Apache connection

– pa4080
Jan 29 at 16:05













seems the only way they got there is from the permissions, there were no other sudo users than root and we didnt have a backup. Since there was no backup, its gonna be a pain to reconfigure everything that's why I need to if they were able to get past the html folder. What do u think?

– Cayenne
Jan 29 at 19:38







seems the only way they got there is from the permissions, there were no other sudo users than root and we didnt have a backup. Since there was no backup, its gonna be a pain to reconfigure everything that's why I need to if they were able to get past the html folder. What do u think?

– Cayenne
Jan 29 at 19:38












1 Answer
1






active

oldest

votes


















1














Assuming you're using a basic Apache2 setup, all apache2 processes and PHP code executed was ran as the user:group www-data:www-data which limits where it can write data. An attacker would likely have access to:




  • Your SQL databases since the credentials very likely had to be stored somewhere www-data could read, otherwise your web-app (eg. Wordpress) wouldn't be capable of connecting to your database.


  • Any files in your /home/* directories, except files where permissions were 600 or similar, such as SSH keys. This means an attacker wouldn't have access to your SSH keys under most circumstances.


  • Any API tokens ore other files stored in /var/www/html


  • Any configuration files in /etc that didn't have restricted permissions. It's worth noting that /etc/letsencrypt/live has restricted permissions and cannot be read via www-data so your SSL keys should be safe.



In any case I would suggest distrusting any credentials on the system, such as SSH keys, API tokens and issuing new SSL certificates to be safe. You can so do a find / -group www-data to see any files created by www-data since there could be some random areas writable such as /tmp, places PHP sessions are stored, /var/run, etc.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1113823%2fcan-hackers-inject-anything-to-the-server-outside-var-www-html%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    Assuming you're using a basic Apache2 setup, all apache2 processes and PHP code executed was ran as the user:group www-data:www-data which limits where it can write data. An attacker would likely have access to:




    • Your SQL databases since the credentials very likely had to be stored somewhere www-data could read, otherwise your web-app (eg. Wordpress) wouldn't be capable of connecting to your database.


    • Any files in your /home/* directories, except files where permissions were 600 or similar, such as SSH keys. This means an attacker wouldn't have access to your SSH keys under most circumstances.


    • Any API tokens ore other files stored in /var/www/html


    • Any configuration files in /etc that didn't have restricted permissions. It's worth noting that /etc/letsencrypt/live has restricted permissions and cannot be read via www-data so your SSL keys should be safe.



    In any case I would suggest distrusting any credentials on the system, such as SSH keys, API tokens and issuing new SSL certificates to be safe. You can so do a find / -group www-data to see any files created by www-data since there could be some random areas writable such as /tmp, places PHP sessions are stored, /var/run, etc.






    share|improve this answer




























      1














      Assuming you're using a basic Apache2 setup, all apache2 processes and PHP code executed was ran as the user:group www-data:www-data which limits where it can write data. An attacker would likely have access to:




      • Your SQL databases since the credentials very likely had to be stored somewhere www-data could read, otherwise your web-app (eg. Wordpress) wouldn't be capable of connecting to your database.


      • Any files in your /home/* directories, except files where permissions were 600 or similar, such as SSH keys. This means an attacker wouldn't have access to your SSH keys under most circumstances.


      • Any API tokens ore other files stored in /var/www/html


      • Any configuration files in /etc that didn't have restricted permissions. It's worth noting that /etc/letsencrypt/live has restricted permissions and cannot be read via www-data so your SSL keys should be safe.



      In any case I would suggest distrusting any credentials on the system, such as SSH keys, API tokens and issuing new SSL certificates to be safe. You can so do a find / -group www-data to see any files created by www-data since there could be some random areas writable such as /tmp, places PHP sessions are stored, /var/run, etc.






      share|improve this answer


























        1












        1








        1







        Assuming you're using a basic Apache2 setup, all apache2 processes and PHP code executed was ran as the user:group www-data:www-data which limits where it can write data. An attacker would likely have access to:




        • Your SQL databases since the credentials very likely had to be stored somewhere www-data could read, otherwise your web-app (eg. Wordpress) wouldn't be capable of connecting to your database.


        • Any files in your /home/* directories, except files where permissions were 600 or similar, such as SSH keys. This means an attacker wouldn't have access to your SSH keys under most circumstances.


        • Any API tokens ore other files stored in /var/www/html


        • Any configuration files in /etc that didn't have restricted permissions. It's worth noting that /etc/letsencrypt/live has restricted permissions and cannot be read via www-data so your SSL keys should be safe.



        In any case I would suggest distrusting any credentials on the system, such as SSH keys, API tokens and issuing new SSL certificates to be safe. You can so do a find / -group www-data to see any files created by www-data since there could be some random areas writable such as /tmp, places PHP sessions are stored, /var/run, etc.






        share|improve this answer













        Assuming you're using a basic Apache2 setup, all apache2 processes and PHP code executed was ran as the user:group www-data:www-data which limits where it can write data. An attacker would likely have access to:




        • Your SQL databases since the credentials very likely had to be stored somewhere www-data could read, otherwise your web-app (eg. Wordpress) wouldn't be capable of connecting to your database.


        • Any files in your /home/* directories, except files where permissions were 600 or similar, such as SSH keys. This means an attacker wouldn't have access to your SSH keys under most circumstances.


        • Any API tokens ore other files stored in /var/www/html


        • Any configuration files in /etc that didn't have restricted permissions. It's worth noting that /etc/letsencrypt/live has restricted permissions and cannot be read via www-data so your SSL keys should be safe.



        In any case I would suggest distrusting any credentials on the system, such as SSH keys, API tokens and issuing new SSL certificates to be safe. You can so do a find / -group www-data to see any files created by www-data since there could be some random areas writable such as /tmp, places PHP sessions are stored, /var/run, etc.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jan 29 at 14:41









        Kristopher IvesKristopher Ives

        2,87211525




        2,87211525






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1113823%2fcan-hackers-inject-anything-to-the-server-outside-var-www-html%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Questions related to Moebius Transform of Characteristic Function of the Primes

            Image
            2 $begingroup$ Consider the function defined in (1) below related to the fundamental prime counting function $pi(x)$ . Note that A143519(n) is not multiplicative. (1) $quad f(x)=sumlimits_{n=1}^{x}A143519(n)$ https://oeis.org/A143519 The following plot illustrates $f(x)$ defined in formula (1) above. Figure (1) : Illustration of $f(x)$ defined in formula (1) The integer zeros of $f(x)$ for $xle 10,000$ are listed in (2) below. (2) $quad$ {1,6,9,12,19,30,79,80,81,116,193,201,287,288,291,668,673,679,680,685,686,1109} The zero crossings of $f(x)$ for $xle 10,000$ where $f(x)$ doesn't settle at zero are listed in (3) below. (3) $quad$ {14,21,33,114,115,118,195,286,290,295,442,445,665,667,670,671,678,682} Question (1) : Does $f(x)$ have a finite number of integer zeros, and if so ...
            Read more

            List of scandals in India

            Image
            List of scandals in India From Wikipedia, the free encyclopedia Jump to navigation Jump to search This is a dynamic list and may never be able to satisfy particular standards for completeness. You can help by expanding it with reliably sourced entries. This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these template messages) This article has an unclear citation style . The references used may be made clearer with a different or consistent style of citation and footnoting. ( January 2014 ) (Learn how and when to remove this template message) This list is in reverse order. As a consequence it appears to be slanted towards recent events. Please try to keep recent events in historical perspective and add more content related to non-recent events. ( May 2013 ) (Learn how and when to remove this template message) ...
            Read more

            Can not write log (Is /dev/pts mounted?) - openpty in Ubuntu-on-Windows?

            Image
            0 1 What exactly does the error message beginning with E: mean? I assume it has to do with the file structure on Ubuntu-on-Windows, but what exactly? The following package was automatically installed and is no longer required: os-prober Use 'apt-get autoremove' to remove it. The following extra packages will be installed: libxslt1.1 The following NEW packages will be installed: libxslt1.1 xmlstarlet 0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 435 kB of archives. After this operation, 1023 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu/ trusty/main libxslt1.1 amd64 1.1.28-2build1 [145 kB] Get:2 http://archive.ubuntu.com/ubuntu/ trusty/universe xmlstarlet amd64 1.5.0-1 [290 kB] ...
            Read more