To all Linux Shared and Reseller Customers,
We have noticed a dramatic increase in defaced (hacked) websites on all our Linux servers since the 23rd of June 2008 due to customers setting insecure (CHMOD 777) permissions to scripts and folders. In particular many Joomla sites have been targeted. Please refer to the section “Joomla Websites” below on how to ensure that your site is compliant with our policy change.
We have taken immediate steps to prevent further sites from being defaced by disallowing all applications requiring CHMOD 777 permissions (global write access) on our servers. We have setup a security application to monitor files and folders on a regular basis. If any folder or file is found with CHMOD 777 permissions it will be automatically changed to CHMOD 755.
Any application that requires these permissions will need to be re-written as setting CHMOD 777 permissions on a file or folder makes the application extremely insecure and it is ultimately a high security risk which we will no longer tolerate.
We cannot take the responsibility for customers not taking website security serious by setting insecure permissions on their files. By allowing customers to run insecure and high security risk websites it further makes our hosting servers vulnerable to further attacks and breach in security by hacking groups gaining access to MySQL database usernames and passwords. We can no longer continue to offer support for applications requiring insecure permissions.
No application, if written properly should require CHMOD 777 permissions and we therefore ask that you re-write your application immediately to comply with our policy change.
Joomla allows web based installation of extensions. On most Joomla setups we've looked at, the method of allowing PHP to install the Joomla extensions is to allow global write access (CHMOD 777) to the Joomla installation directories. This is not a secure way of managing a Joomla site.
A secure website should not have any folders or files with global write access, especially on shared servers, yet on 90% of Joomla websites we've looked at, this is the case.
How to install Joomla extensions on a shared server without giving global write access
1. Install Extensions Manually via FTP and MySQL Queries
2. CHMOD 777 only for the installation period, then CHMOD back to 755
We hope that everyone understands this force in policy change as on a shared server we not only have to protect the security of your account but those of other customers too. We cannot allow that one or a handful of customers opens a door for hackers to gain access to accounts with confidential and secure information.
DigiServ Technologies cc
Tuesday, July 1, 2008