One of my clients that I just started doing work was complaining about images not showing up on his site recently. I checked it out and what happened was the folder had a .htaccess file created there that restricted everyone but a few IPs. I thought that was kind of odd. I poked around more and saw that 3 PHP scripts were somehow uploaded into the folder that wrote the .htaccess file. The scripts were pretty creative and encrypted everything using hexadecimals along with a key. Fortunately, the key they used was the user agent, so I did a quick grep of the server logs and saw what user agent the script was being called was using and decoded the script.

It turns out that the scripts were basically DDOS scripts that could be triggered remotely based on parameters being sent in when calling the script.

Next step after getting rid of those and reading the code was trying to figure out how the scripts got in there in the first place. I didn’t have to look too far and saw that the folder was CHMOD 777. Obviously if a hacker wants to get in, they will find a way in, but CHMOD 777 is almost inviting them in with milk and cookies. I haven’t found out how the file was uploaded, but it’s possible they used a hole since the site was using an outdated open source software solution.

Moral of the story, don’t CHMOD 777 your folders when you don’t need to.