Hi folks,

Overnight, my websites —

www.greatchurchwebsites.org
www.school-for-church-webmasters.org
www.discovergraphicdesign.com
www.networkedchurch.com

and several others — was minor-ly hacked, by someone who made his or her Turkish (I'm guessing) language home page appear if a visitor just typed in the domain name (for example, www.greatchurchwebsites.org) and not the complete file name of the home page (www.greatchurchwebsites.org/index.php).

No other pages were affected, and all links within the site worked OK.

I called my web hoster's tech support line and they quickly fixed the problem by deleting the added alternate home pages. The source of the problem was that on my hacked websites, I had one or more folders or directories with permissions set to something other than 755 or 701. This allowed the hacker to do something to make the home page he or she uploaded appear instead of the real one.

So, I would encourage everyone to take a few minutes and ensure that directories on your website have Unix permissions set to 755. To further explain this, "755" means that a certain combination of Read, Write, or Execute permission has been granted to Owner, Group, and Everyone. If, when setting permissions on a directory, you check or uncheck an array of checkboxes, then you will want to aim for an upside down "U" look.

Two exceptions to the above are the modlogon and webalizer folders (of course, this only applies to Unix servers; Windows servers likely use different folders), which, the tech support person told me, can be set to 701.

One way to change the permissions is to use your FTP client. Changing permissions probably can be done through your hosting account control panel, but at this point, I'm not sure how to do that.

So, I would encourage everyone to take a few minutes and ensure that directories on your website have Unix permissions set to 755. To further explain this, "755" means that a certain combination of Read, Write, or Execute permission has been granted to Owner, Group, and Everyone. If, when setting permissions on a directory, you check or uncheck an array of checkboxes, then you will want to aim for an upside down "U" look.

Hi, David,

Thank you for being so considerate. I have a problem, however, and I would guess that you already know what it is. How on earth do I do the above, and do I actually need to do anything? I have no idea where to find directories of that nature. In fact, I didn't know that they existed. :confused:

I still have so much to learn it is amazing...and stuff changes so fast, I cannot keep up with it. I certainly do wish I had just 1/6 of the computer knowledge which you have. It certainly would be helpful.

However, of course, the other side of the coin is that I have much more knowledge than I did which was zero. :D I guess everyone starts at zero at one time or another in his/her life, but some people don't remember what that was like.

Carol

and several others — was minor-ly hacked, by someone who made his or her Turkish (I'm guessing) language home page appear if a visitor just typed in the domain name (for example, www.greatchurchwebsites.org) and not the complete file name of the home page (www.greatchurchwebsites.org/index.php).

I am sorry to hear that.

One way to change the permissions is to use your FTP client. Changing permissions probably can be done through your hosting account control panel, but at this point, I'm not sure how to do that.

In the open source Filezilla client running on a Windows machine, this can be done by right-clicking the folder and selecting "File Attributes...". The 701/755 permissions number appears in a small text box that has the label "Numeric Value".

According to what I see, the way to achieve 755 is the following permissions:

Owner: Read, Write, Execute
Group: Read, Execute
Public: Read, Execute


I will also note that the numbers are based on the UNIX command line command chmod, which is used to change the owner and permissions on files from the UNIX shell.

On Windows hosting, the permissions issue is stickier, because the customer has to be granted full control on the folder they are using for hosting, and I assume that this rarely happens.

How on earth do I do the above ....Hi Carol,

If you use a dedicated FTP client (program) to upload files to your church's website — and I realize that may very well not be the case — then the following screenshots will provide the basic idea.

The screenshots below show how setting permissions is done using an older version of Fetch for the Macintosh. (I do my web work on my Macintosh. My PC is used for other purposes.) Most of the people reading this thread work on a PC using a Windows-based FTP program, however. Those people will need to do something similar to what is shown below, whatever is appropriate for their software.

The FTP client, when logged in, shows all the files and folders on your website. (I've deliberately obscured these in the screenshot below for security's sake.) Click on a folder for which you want to change or confirm permissions, in order to highlight it. Then, choose a command similar to Fetch's Remote => Set Permissions ...

http://www.greatchurchwebsites.org/art/FORUM/permissions_howto1.jpg

and click the checkboxes in the pattern shown below. Note the equivalent Unix command: "chmod 755". Also note the upside down "U" pattern I mentioned above.

http://www.greatchurchwebsites.org/art/FORUM/permissions_howto2.jpg

I looked again at my web hosting Control Panel (not shown here). I can begin to see how this same thing can be done through the Control Panel. I'll provide screenshots for that tomorrow night, if I figure it out.

I'll try to post some relative Filezilla screenshots in the near future.

Filezilla is a great tool that I've used when dealing with hosting services who do not allow "secure shell" access.

If your hosting service does allow secure shell access (it will be a UNIX/Linux service almost without doubt), you may want to experiment with a free Windows program called "WinSCP" for Windows Secure Copy. ("cp" is the *NIX command line name for "copy", so SCP = secure copy).

In any case, the place to get WinSCP is: http://winscp.net/eng/index.php

It has a terminal equivalent called "Putty" but putty is NOT for the faint-hearted because you end up looking at a UNIX/Linux command line prompt, usually either a blinking "#" or "$" character. But WinSCP gives you your choice of two presentation options, of which I usually use the Windows File Manager emulation so you have your "home" hard-drive listing in the left frame and the "home" directory/folder for the account where you've logged in.

ALL interaction between your Windows PC and the hosting service is completely encrypted, so nothing transfers between your computers that is even modestly useful in the event (unlikely but possible) that your session is captured but not interrupted.

You'll see that in WinSCP, if you highlight a directory/folder or file in either frame and then press your F9 function key, a pop-up will show the current permissions and allow you to change to whatever you choose, assuming of course that you are the owner or a member of the group to which the directory/folder or file belongs.

PM me or post questions regarding *NIX security or whatever. I've spent most of the time since August of 1985 dealing with UNIX and Linux, since the earliest releases in the early 1990s, including a couple years teaching secure UNIX for AT&T/Bell Labs in the NSA/military intelligence communities.

Some things about *NIX security have changed over the years, but this permissions thing has been nearly the same for as long as I can remember!

The place where I know some problems arise with contemporary hosting services and *NIX permissions is that when you upload files using FTP/Filezilla/WinSCP, etc. they automatically are owned by the user who logged in and did the transfer.

However, if files are created as a result of some process owned by the web-server (usually Apache), in the default configuration those files and directories may or may not be modifiable because they are owned by the USER under which the Apache webserver is operating. Recently, the "better" (progressive) hosting services have adopted usage of an Apache add-on that creates files/directories that are exactly the same as if the account owner had created them via transfer or on-line text editing.

So the "point" is that if you find files/directories/folders that have incorrect permissions and Filezilla does NOT allow you to change, it is likely due to the way your hosting service has configured Apache. Only a "super user" will be able to change the ownership or permissions.

The place where I've seen MANY problems arise in the "olden times" was when the CMS or other scripts created "cache" files/directories which filled disk space and to flush a system required filing a support ticket. Some of the early templating "engines" also create files/directories. The "worst" of the bunch in my opinion is a good system called "Smarty".

Hope this helps more than it confuses!
Best to all.
Dave Nuttall

Long overdue Filezilla screenshots....

Step 1: Right click the appropriate folder and select "File Attributes".
http://images.jackwolfgang.com/GreatChurchWebsites/200809Sep23/FilezillaPermissionsStep1.jpg
Directory names other than public_html and public_ftp are intentionally blurred.

Step 2: Set permissions until the numeric value equals the 701 or 755 that was recommended.
http://images.jackwolfgang.com/GreatChurchWebsites/200809Sep23/FilezillaPermissionsStep2.jpg

Thanks, Jack, for the above information.