Debian – I’ve been hacked, and now I’m a bit confused about some things


I noticed yesterday that my site has been hacked, and I'm really confused about some things at this point. All of the files – as far as I can tell – that were edited or added were done so with a specific user account; one that was associated with some software that isn't being used anymore so should have been removed, but wasn't.

I removed all of those files – except one* – and removed the user account, repaired the edited files, etc. Almost all of the edits were on the wordpress side of the site. Most of the site isn't wordpress, but they are on the same physical server. All of the edits and additions were in directories owned by the removed user or owned by www-data.

*The file I didn't remove – but I renamed it and moved it – was one of the tools the hacker used…it has "Web Shell by oRb" at the top, but that's about all I can tell you about it.

This brings me to my first concern (I know I'm being overly verbose, sorry) – using this tool, I can edit or create files in any of the directories owned by www-data, and I can read virtually every file in every directory on the machine. So my question is, is this tool only able to do this because it is already on the server? Or am I just wide open?

My second question is, what are the best permissions for the web server? I know this has been asked a million times. My side of the server all has my account as the owner and my group – of just me – as the group. The wordpress (which I am becoming very wary of) side is all owned by www-data. Is this appropriate? What should the rwx permissions be?

I'm not really expecting anyone to diagnose the big concern – how they got in in the first place – but any clarity on the second and primarily the first questions would be really appreciated!


Best Answer

The wordpress side is all owned by www-data. Is this appropriate?

Generally it is not appropriate. It is true that wordpress does need a data directory that www-data can write to, but for the most part www-data should not own any files or folders. Anything that www-data owns could be updated by the web server. If you have buggy PHP code (or any other server side tech) then an attacker might be able to somehow trick that buggy PHP code into updating one of the PHP scripts to do something the attacker wants link download a file from a remote server and install it somewhere onto your system.

Some web apps need to write data on the filesystem. With very rare exceptions you should almost never allow any kind of scripts to be executed from those data directories.