Quote:
Originally Posted by VGeorgie
I never told him to change it to 666. That's the standard setting CCBill does when they install their scripts. That's what the permissions WERE. Whether or not other permissions work is not the point. No hacker is going to bother changing them to 775 or 755 because as you say it wouldn't matter if they've already hacked the site. Just keep at 666 then no one wouldn't have known the difference.
I don't think it's too much to ask to not read things into something I didn't write.
My other point is that there is no need to have more permissive settings than what's needed to get the job done. That's just common sense, for everything, not just servers.
|
You are assuming that you know exactly what the hacker is trying to do.
Scenario :
If the hacker chown/chgrp the file in addition to chmod 755 then this can make the
file unchangeable by the website owner when he logs into FTP. (at least some servers)
The webmaster is no longer the owner of the file and needs 666, but can't
change it to 666 himself because he is not the file owner anymore.
So now we have a file full of hacked passwords that we can't change thru FTP.
This can be fixed, but is just one more way to slow the fix down.
There are other things possible too.