[Typo3] server hacked // report.php

Dmitry Dulepov typo3 at fm-world.ru
Thu Jul 21 22:51:16 CEST 2005


Should be 755 for all typo3 directories except those I mentioned before.
And file owner should be you, not Apache. You can check it with "ls -al"
command. For those three directories it is best to set rights
recursively to 775 and owner information to user:apache, where user is
your login name. Thus only you can write to typo3 folders and only you
and Apache can write to fileadmin|uploads|typo3temp folders.

I would actually remove write permission even for user from most of
typo3 directories since noone should modify core files... Thus your
installation would be the most secure.

What else you can check? Check that enable_url_fopen is disabled in php
(easy to check with phpinfo function). This caused many hacked sites
because allows to execute external script as it was internal.


Christoph Koehler wrote:
> Thanks Dmitry!
> I know that 777 is a great risk! I was surprised that they were all 
> chmodded like that!
> Is 775 or 755 generally save?
> The script had apache user rigts, so it overwrote all .htaccess files I 
> guess, but I will use your advise, thanks!
> On Thu, 21 Jul 2005 14:33:01 -0500, Dmitry Dulepov <typo3 at fm-world.ru> 
> wrote:
>> Hi!
>> chmod 777 is a big security risk. This is, most likely, the problem.
>> You can also strengthen site security by putting the following .htaccess
>> to some folders:
>> ---------
>> php_flag engine off
>> ---------
>> It will disable execution of php scripts there. At least the following
>> folders should be secured this way:
>> /fileadmin
>> /typo3temp
>> /uploads
>> Dmitry.

More information about the TYPO3-english mailing list