Thread

I’ve had a problem on two different servers and EE installs, one 1.6.9 and one 2.1.1 and in both cases I’ve just been working in the EE control panel when the 500 internal server errors has occurred and all PHP files on the server have become inaccessible. The response from server hosts on both occasions was that permissions on the public_html folder had been changed to 770. I obviously didn’t do it so I’m wondering if there might be something within EE that is doing it?

Tyssen, I’ve not heard of that happening with EE before. This sounds like it might be a hack attempt.

  Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

  1. EE version and build (found at the bottom of your control panel)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

  * If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

  While we work through this, please check through these files:

  * path.php (if using EE1.x)
  * config.php
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  You may also wish to refresh your files by following the build update instructions.

  Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

The hosts were contacted immediately to get the sites back working properly (both were/are under development when it happened so no harm done) and neither indicated anything about any attacks. The only response was what I wrote in the first post: that the permissions had been changed on public_html from 750 to 770.

I’ve also checked all the files you’ve mentioned and they’re all clean.

Builds are:

1.6.9 / 20100430
2.1.1 / 20101020 (system above web root)

John,

As with Sue I have never heard of this happening before. We have ping devs internally of it but there will eb limited coverage the next 2 days dues to Thanksgiving.

Can you recall or replicate what you were doing in the CP when it happened as that will be the most helpful piece of info we can have.

Who is the owner of that folder if you look via FTP?

The one on the 1.6 site happened a while ago so can’t remember. It did happen on that site more than once though. At the time I thought it was just that server in particular. But now that it’s happened again on a different server and I’ve had the same response from the hosts tech support, I’m wondering if it’s something to do with EE.

On the more recent occasion I think I’d just changed a channel or fieldgroup setting and then saved (or possibly tried to click on another after having already saved one).

The owner / group of the public_html folders in both cases is username / 99.

No worries on the timing. It’s not particularly urgent.

Hi John,

Do you have any extensions that are in both installations?

Cheers

Greg

Custom System Messages
MX Cloner / Clone Entries
Last Segment
Matrx
P&T Field Pack

John,

The owner / group of the public_html folders in both cases is username / 99.

Anything different for the folders inside or files?

What is owner/group for one of your cache folders?

What is your PHP environment?
you running it as a Module or PHP-CGI?

Anything different for the folders inside or files?

Everything inside public_html (folders and files) seems to be username / username.

What is owner/group for one of your cache folders?

Same as above.

What is your PHP environment?
you running it as a Module or PHP-CGI?

Um, how do you tell that?  :red:

By the way, it happened again on the 2.1.1 site again today while I was saving a template file which was opened from a directory mounted as a disk using Transmit. I went to the public_html folder and found that the permissions were 770 so I changed them to 750 and it brought the site back again.

John,

In your phpinfo have a look for Server API

Good description of the benefits of both here

Something must be dictating that permission change. It sounds like a setting the host would have set.
Would they be helpful if you pushed them to dig a little deeper?

By the sounds of it if you had any application running on the server, not just EE you might run into same issue

Server API is CGI/FastCGI.

I’ll go back to the hosts and see what we can find.

Ok John. Let us know how you get on.