[eluser]Jay Turley[/eluser]
[quote author="BrianDHall" date="1256878519"]Well in the words of Gidget from Wow Wow Wubbzy, "that wasn't supposed to happen."
For CI files you should be ok to set everything to 0555 (read and execute only), and depending on your configuration you might be ok with 0444 (read only) but you'd have to play with it to make sure.
Note that you'd probably best run this recursively on CI system AFTER moving out your application folder
You will need to go in and manually set permissions for your logger though, or you will be unintentionally disabling logging.
Security lock down procedures basically state you need to assume total password compromise across the board and reset all usernames and passwords for anyone with access to your system, including database passwords. It's usually what causes this sort of things, compromised accounts.
I'd also check all your code and make certain to check any unset, unlink, eval, and exec commands and make sure you don't have something that could be injected to cause such deletions.
Also if CI still runs with no System, there is something wrong there, it should error out. Check for symlinks and your index.php and make sure you know what CI system folder it is really using.[/quote]
Okay, thanks. Running through this point by point:
0555 is what I am using, except on cache and log directories. Applications reside outside of the system directory. No unset/unlink/eval/exec statements used as far as I can tell. XSS and SQL injection in place. index.php DOES point to correct system folder
The "still running" is - I am thinking - having something to do with the "cloud" persisting the application somehow, perhaps through caching. This is unclear to me, and was never a problem in the past on previous hosts.
Now that I think about it though, the previous site was infested with malware at one point, and I am pretty sure it came from our client who uses a mini-CMS I built to edit site content. I wiped it from the site and did a complete password change across the board, and that took care of it. That was a few months ago.
Now that it's on three of our client sites in the cloud, and I haven't even accessed one of them with my new linux system, I am thinking it's probably not malware on my end.
Thanks for the help!
