8

Working at a local seo sweat-shop as "whatever the lead dev does't feel like doing" guy.

Inherit their linux "server".
- Over 500 security updates
- Everything in /var/www is chmod to 777
- Everything in /var/www is owned by a random user that isn't apache
- Every single database is owned by root sql user
- Password for sudo user and mysql root user same as wifi password given to everyone at company.
- Custom spaghetti code dashboard with over 400 files in one directory, db/ api logins spread throughout these files, passwords in plain text.
- Dashboard doesn't have passwords, just usernames to login
- Dashboard database has all customer information including credit card stored in plain text
- Company wifi is shared by other businesses in the area

I suggest that I should try to fix some of these things.

Lead Developer / Tech Director : We're an SEO company, not a security company . . .

Comments
  • 3
    That user thingy is Good thou. www-data should never own files on a webserver :)
    The other thou...
  • 0
    @Charon92 That's what i thought as well.
  • 2
    @limitunknown @Charon92
    So every website basically can write to each other? No they should be different users.
  • 1
    @Charon92
    Because the guides are really stupid and people still wondering why all their sites gets pwned.
    You can also define user on PHP-FPM too.
  • 2
    @Charon92
    + It is easier for you to see what website that is hogging resources in htop for example :)
  • 1
    @Linux Thanks for the heads up. That's good advice I had not thought of. BTW, the server I was talking about here. It wasn't that each website had a different user. It was that almost every single file had a different user and they were constantly chowning things instead of setting up permissions and ownership even remotely correctly..
  • 1
    @limitunknown
    Thats is fucked up..
Add Comment