XF 1.5 Some idiot keep uploading files to the SERVICE DIR how to avoid?

[fionix]

There is some script kiddi that is keep uploading movies to the SERVICE director in the XF directory.

I have renamed the DIR now to see if the forum still works if I would remove the directory entirely, it seem it still works just fine.

Can someone let me know what the SERVICE directory is used for?

root/library/zend/service

 

[Chris D]

The Zend/Service directory will be accessed by some XF functions.

Notably our ReCaptcha, Twitter and Akismet integrations.

You may not use all of them, however, regardless of this the behaviour you are describing is concerning to say the least.

You need to put some serious effort into identifying how they are making that directory accessible. This is almost certainly something you should make your host aware of as they may be able to shed some light via their logs as to how this is being accessed, by who and when, which may be part of the process of identifying how it is happening and how to stop it.

Your host will likely have more advice, but be sure to audit all of the access to your site including cPanel and FTP and reset all of your login details for everything.

 

[fionix]

The problem is the HOST gives a S... about it, they provide servers and the rest is up to you There is Plesk and a Firewall installed so it's possible to do some scuring of the server.. will have to search the logs and see if I can find something. SSH is closed so FTP may be the way they get in, don't know will have to see.. the LOG is insane big

 

[TPerry]

Is this a Windows server using Plesk?

 

[fionix]

Nope Linux

 

[TPerry]

Check your permissions. Make sure they are 644 for the files and 755 for the /library and all subdirectories and files. It sounds like you have slight misconfiguration.

 

[fionix]

They are set like this.. it is always in the ZEND DIR and DIR's within there they place these videos!

 

[adwade]

My first thought is I would be running Tripwire, to audit what is going on in every directory, not just the SERVICE directory. My second thought is you might want to consider running PHP Mussel to help protect against any really undesirable uploads.(Info Thread here)

 

[fionix]

Thanks for the software recommandation. I have tried to figure out with TripWire but it seems it's not free and for nerds

 

[teletubbi]

TripWire but it seems it's not free

It's open source.

https://sourceforge.net/projects/tripwire/

 

[adwade]

It's fairly simple to install, just put the tripwire.php & tripwire_config.php files into the root directory of your website.(i.e. same directory that your Xenforo index.php is in)

Then add your email to the tripwire_config.php file

   'email' => array(
      'to' => array(            // Email these people on changes
        'your_email@yourwebsite.com'  // 'user@server.com'

Lastly then, you just visit the URL http://www.yourwebsite.com/tripwire.php to invoke it whenever you want to check on what has changed.