Spam Issues

[mooresites]

I have recently been bombarded with issues of spammers rewriting files that are intended for Snippetmaster. I use your service for several clients (love it), but recently it's become quite a hassle. In all instances, the folder (usually uploads) that has been chmod 777 is infiltrated with spam pages that generate spam. Also, files that are CHMOD 646 (for writability) are being affected as well. What am I doing wrong? Thanks!

[admin]

Hello,

Hmm.. can you make sure that you are using the most recent version?  There was a security problem with one of the older version of Snippetmaster a while ago (last February 2009), so it might be that your server is insecure and the hacker was able to use snippetmaster to get in.

If you are running the latest version of Snippetmaster then you should be safe.

Here are upgrade instructions:

1. Go to http://www.snippetmaster.com/download
2. Follow the "auto installer" instructions to install.
3. The installer will detect that this is an upgrade, so all your existing configuration settings will be saved.

Let me know how that goes.

[mooresites]

Sure am . . . updated back in February with the new release. What happened is there was a file that was 646 CHMOD (what I use for all SMaster related files). All of a sudden, today, this file was altered (it was a test file to set up the system). I can't see how they modified that file when it's in the root and SMaster is two directories deep (and is set not to see the root) . . . any ideas? Also, is 646 the best setting for updateable files? Thanks!

[admin]

The file permissions that are needed are totally dependent on your web hosting provider's setup of your server.

For example, on my server where snippetmaster runs, only normal permissions are needed and no "write" permissions for any user except the owner.  (No "777" permissions are needed.)

However, for other hosting providers.. they might run their servers differently so they may require permissions of 777 or something in order to allow Snippetmaster to write to the files.

The only thing I can suggest is to upgrade to the latest version (v2.2.3.2) and see if that helps.  It should be secure now if you upgraded in February, but doesn't hurt to have the latest.  Other then that.. confirm with your hosting provider what file permissions are needed and you should be ok.

(Only the flies you want to be editable with Snippetmaster need to have "write" permissions. Everything else (Snippetmaster program files, etc) should only have "read" permissions.)

Let me know how things go.

[davert]

Just to clarify, under a typical cpanel installation, you may find that the group you need is nobody or your username -- one or the other depending on whehter they use suexec (I think).

I use suexec and for me, nobody is the group Snippetmaster needs files to be assigned to. At that point you can chmod 765 (775 if that doesn't work). Then Apache has access to the file, but "world" does not.

777 should usually be totally unnecessary BUT you must chgroup (or chown) properly.