Different Apache user than FTP user - not safer after all?

Regarding the most recent exploit, it has been mentioned that if the Apache username was different than the FTP username, it wouldn't have been possible. However after dozens of posts on here and messages back and forth with staff, some of the answers I'm getting seem to be contradictory.

For example, in order to switch the Apache username to something different, that means 644 permissions won't be possible and instead, 755 would need to be used. Oleg confirmed doing that would indeed be less safe than 644. It seems like a no-win situation. So what are we to do?

Note for staff: Can you please re-open my other thread too? I have since heard from others that were struck by that exploit at the exact same time and the logs show the path of entry was the same as this weekend's exploit - it would be helpful having a place to talk about it instead of just automatically dismissing it as something completely unrelated. Yes, they are two different exploits, but those of us hit by both at once can't help but ask, after looking at the evidence, if exploit A made B possible.

I saw on vb.com someone had got iframe code inserted into his files, an iframe size 0 that calls URL from another website.

Worrying with all those hacks lately.

Hello,

For example, in order to switch the Apache username to something different, that means 644 permissions won't be possible and instead, 755 would need to be used

0644 would be normal permissions in this case, and vBSEO will not be able to write to config.xml - that is expected behaviour.
Whenever you need to change vBSEO configuration, you should change config.xml permissions to 0666, modify settings in vBSEO CP, and then switch it back to 0644.

I saw on vb.com someone had got iframe code inserted into his files, an iframe size 0 that calls URL from another website.

Was that thread from a couple weeks ago? If so I know what one you're talking about. Is there any way we can search to find if an iframe is in the code? After all, there should be no legit reason for an iframe to exist, so if one is found it must be a hack.

Originally Posted by Oleg Ignatiuk

Hello,

0644 would be normal permissions in this case, and vBSEO will not be able to write to config.xml - that is expected behaviour.
Whenever you need to change vBSEO configuration, you should change config.xml permissions to 0666, modify settings in vBSEO CP, and then switch it back to 0644.

But my host said 644 would not be possible and that 755 would need to be used (if apache user was different). Are you saying it would be 0644 instead of 755? I'm confused.

0644 would mean that the file is readable by all and writeable by owner.

755 means that it would be readable and executable by all and only writeable by owner.

Both are secure by why would you want the xml file to be executable??? it is a simple text file in the end of the day there is nothing to execute so 755 is poinless though it would be just as protected from apache writing to it than 644 would be as long as it is chown'd by your FTP user.

Having Apache run as the same as your file system user is just very bad practice, it means that no file can be protected from apache.

It was posted today, and he was running vb 4.0.5.

I just tried cat *.php | grep iframe and I got one hit, a part of Arcade.

Will try to search templates from admincp too.

Originally Posted by MTD

Was that thread from a couple weeks ago? If so I know what one you're talking about. Is there any way we can search to find if an iframe is in the code? After all, there should be no legit reason for an iframe to exist, so if one is found it must be a hack.

Originally Posted by Nicke

I just tried cat *.php | grep iframe and I got one hit, a part of Arcade.

Will try to search templates from admincp too.

These vB exploits are getting out of hand. That's why I waited 8 months to upgrade to 4, hoping they would be taken care... wishful thinking.

How are you searching your php files to see if they have an iframe?

Using the code he mentioned above in an SSH client will search all .php files for the presence of an iframe.

cat *.php | grep iframe

again though that issue isn't anything to do with vBSEO.