my host has a problem with prestashop he says it sends junk mail!!!!

[Soha 8084]

hello

my host today stopped my website

they said that the script am using is sending junk mail and this was reported by some compeny who received those emails

I didn't got online yet and don't have costumers yet in my database

am using php to send email and is working great

what should I do
????

should I disable php and use smtp instead???
I don't want to really>>>

can the junk mail sent from the server be caused by prestashop?? or not

I really need to know the answer ASAP because I really like presta and don't wanna replace it

[Soha 8084]

hello

where are everybody

I think I know what the prob was

some one took advantage of the weak security of php mail function to send spam through my host server

I have to use smtp now but couldn't get to configure it until now !!!

maybe you guys can make it more secure to use php mail next version and solve this issue

thanks

[spott]

Ask from your hosting provider more information.
From server logs they can check, what file and function is used by attacker. Then - giving this information to developers they can fix it.
Right now is very hard to say, where is problem - maybe isnt problem with PrestaShop but some other script.

[remoteONE]

Hello,
This is a serious security issue, it will be very important to know if its a prestShop bug, Permissions settings, or Web Hoster problem.
Anyone?
remoteONE

[Soha 8084]

I don't know

they said they have closed some ports and php definitions to secure the server from the attacker , so when they did that 3 sites stopped one of them is mine!!!

when I asked for it to be back online they said since it stopped it so it is weak security and might had been the reason of the whole issue

but when re-installed prestashop again it worked perfectly so they said it is ok to use if it is working with the new condition of the server

but all permissions I had to re-set to 777 is that dangerous???

now they said be careful with e-mailing because it is spam and spam is permitted on servers

I really want to use php mail function but afraid

is it dangerous to use it???? for my site and server???

and permission 777 is it dangerous?????

[remoteONE]

777 permissions is very dangerous.
Hackers may be able to upload to your folders that are set to 777 (all permissions) and use up all your bandwidth up/down loading via wartz sites etc.
755 should be the max permissions level for any folder.
I'm no expert but it sounds like your web hoster has not got the sercurity you need.
If the hoster wont alow you to set the permissions that YOU need, you had best find a hoster that can.
I'm re-iterating advice that I was given re Host Security. However, I am still developing on my /localhost/ and havent yet got to host my site live to test the security yet.

Expert advice on this matter is needed.
Bye for now

[Soha 8084]

yes thats true

am looking for new host because it looks like my host is not doing good job protecting the server

I have got a messege from costumer support here that it is very ok to use php mail()

so I will and if my host will have a problem with it I will transfer my site to another

still waiting for any further suggestions

[remoteONE]

I will be also testing my site for PCI compliance .

[Paul C]

It is always good practice to configure your site using the most aggressive file permissions you can get it to work with. A little background for those who are mystified by all these numbers!

Unix/Linux servers permissions are made up of three numbers, although each number is calculated at in the same way. The three numbers refer to Owner, Group and Everyone (also known as Others or World) respectively. Changing the first of the three values will only affect the file owner, the second the file group, and the third everybody else.

It is important to note that the "everyone" permission only partly applies to users who are not logged on to your server, despite how it may sound. The general public are granted access to files on your server via the external services you provide e.g. http and as such users external to your site are only granted access to resources via these services (actually the users who "own" these services).

"Group" is a way of allowing a set of users to access a shared resource on multi-user servers. You need to be assigned to a group by the server root user to use these shared resources.

Looking at one of the three "numbers" we can work out what each set of permissions means for your server. There are three main "permissions" that can be assigned to a file: Read, Write and Execute. These are each assigned a numeric value: Read = 4, Write = 2 and Execute = 1 which are added together in each column to arrive at the final permission for the file or directory (the observant will note that the correspond to binary digits!).

"Execute" is a rather confusing one as it is different for files and for directories. For files it marks a file as executable, and should only be used for real binary executable programs; note that a php script isn't an executable, so you shouldn't use execute for php files (they are are actually run by another program, which is the executable). I can't think of any case where on a web hosting account you would ever need to set the execute permission on a file, so files on your server should always be either 0, 4 or 6. For directories you need to set execute to be able to change to that directory and to list the contents of the directory (directories aren't "run" as programs obviously).

Owner Permissions

As the owner of the files you will normally (but don't always have to) assign the maximum permissions safely. So for the majority of files you will set the first number to 6 (read and write). For a stable files (such as configuration files) that won;t be changed except by you, you can safely change these to 4.

For directories you would normally set the owner permission to 7 (Read + Write + Execute).

Group/Everyone Permissions

This is where it gets a little complex, as in certain server configurations (depending on how the users and groups are configured on your server) group permissions may have to be set to the same (higher) permissions as the owner of the file. Ideally these should be set the same as the "Everyone" permissions, and restrict access - this is to protect you against other users who host on the same server as you, and who may be members of the same groups as you (there are other measures in place to prevent users accessing each others accounts, but you should never rely on someone else to protect you).

Unless you are required to grant the group higher permissions you should set files to 4 (Read) and directories to 5 (Read + Execute). These settings should work for most servers.

Taking the above into account, you will arrive (almost) at the answer remoteONE gave earlier in that for directories you should set the permissions to 755, and for files you should set them to 644.

Additional protection

There are certain files that are only ever "read" directly by your code (for example the template .tpl files). These can have even more restrictions placed on them should you wish, without causing problems. In the case of a template file (which is only read by your php scripts) you can set the file permissions to 600 (660 on servers that require owner permissions on group) and you site will still work, but anyone trying to access the raw template file externally will be presented with a 403 (forbidden) error.

There are very, very few cases where you would ever want (or need) to set the permissions on a directory to 777, or a file to 666. If your server requires this, then get another hosting provider.

Whew, I really hope this makes sense!

Paul

[Matthieu Biart]

Hi everybody!

Ask from your hosting provider more information.
From server logs they can check, what file and function is used by attacker. Then - giving this information to developers they can fix it.
Right now is very hard to say, where is problem - maybe isnt problem with PrestaShop but some other script.

Exactly, without the logs we cannot check our side and so won't be able to tell you if it is our fault (and solve it) or not.

Paul C: nice explanation :-)