I am frustrated, this problem is over my head – need help!
A client had directory permissions set to 777 on a particular directory because they are using a PHP upload script. Although the PHP script sat in seperate protected directory, we discovered that an unknown someone had placed a .php file in that unprotected directory. That script was written to send specific server variables through the url to a server in Russia.
My questions are as follows:
How can I protect the directory against outside access when the permissions must be set at 777 so the desired PHP upload script has access? (.htaccess ?)
How did this person locate the directory in the first place?
How did he/she upload the file being as the upload script was coded to allow only specific extensions through?
How did he/she upload the file being as the upload script was placed in a protected directory?
Thanks in advance.