Site Hack!!

[sihost]

yeh very true.

backup backup backup

I was talking to a large backup company several months ago and it said a huge proportion of the general public never back anything up

Worth noting to the cpanel users, that even without online backup you can backup through cpanel, then ftp into the account at root level and download that backup to your own hard drive - works if you just have a few accounts.

On the 777 note, I found out when upgrading to suphp that anything requiring 777 will run as more secure 755, and wordpress etc all work fine.

[eUK-Victor]

Yes, on PHP Suexec [Mod SuPHP]enabled server, the files/folders permissions must be set to 644 / 755 respectively. These permissions are fair enough for the proper execution of web scripts.

[Jonypops]

If you could help us with the details of your account, we will investigate the issue further.

[colourful]

I have seen the issue of unwanted files magically appearing when using osc before.
The file uploader/editor including in osc is a security flaw. It is possible for someone to upload a file of any type, thus being able to run malicious code, spam, ads, anything.

Its unlikely you really need this module, so it is suggested you remove it from your site to avoid the potential.

I hope this goes some way to explaining how file got on to the system, even if it doesn't explain how they gained access.

Other precautions you should take with osc (and any other similar php based code.

Use a .htaccess file and a passwd file for the admin directory. Use a long username (that isn't admin!) and a strong password.
Also Changing your admin directory to another name, preferably long and obscure. (You will also need to change references to the directory in the admin config file.

Make sure both config files are set to 444 (you will need to use the filemanager in cpanel to do it, you can't change it to 444 through ftp on some systems).

This extra bit shouldn't be needed but a belts and braces approach to security is always best.
In any directories where there are php files that are not used directly (ie included by other php files) and directories which shouldn't have any php files in, add a .htaccess with the following.

#.htaccess to prevent unauthorized directory browsing or access to .php files
IndexIgnore */*
<Files *.php>
Order Deny,Allow
Deny from all
</Files>

If you look on the osc forums you will find lots of info about increasing the security of your osc install.