4644
SUID + 644
4644 combines:
- **SUID (
4) execute as file owner - Owner:
rw- - Group:
r-- - Others:
r--
But note: 644 has no execute bit, so SUID on a non-executable file is normally pointless the S flag appears, but **no privilege elevation occurs because there is no execution path.
This mode is often seen in misconfigurations, malware persistence attempts, or forensic anomalies.
Objective
Understand 4644, why it exists, and how to treat it in a professional WordPress VPS security posture.
Concept Breakdown
Octal Structure
| Digit | Meaning |
|---|---|
| 4 | SUID bit |
| 6 | Owner rw- |
| 4 | Group r-- |
| 4 | Others r-- |
Behavior
| Condition | Result |
|---|---|
| Not executable | SUID does nothing, but flags suspicion |
| Executable later set | Would run as file owner |
Syntax Formula
Apply SUID + 644
chmod 4644 <file>
Remove SUID
chmod u-s <file>
Check all SUID files
find / -perm -4000 2>/dev/null
Permission Indicator
ls -l displays:
-rwSr--r--
Notice **S (capital) indicating SUID but no exec bit.
If file later becomes executable:
chmod u+x file
it becomes:
-rwsr--r--
This is a **red flag if accidental.
Example & Output
Demo
echo "test" > /usr/local/bin/testfile
chmod 4644 /usr/local/bin/testfile
ls -l /usr/local/bin/testfile
Expected:
-rwSr--r-- ... testfile
Try to run:
/usr/local/bin/testfile
Expected:
permission denied / not executable
WordPress-Relevant Usage
| Scenario | Valid | Notes |
|---|---|---|
| WP core/theme/plugin files | ❌ Critical misconfiguration | |
| User uploads | ❌ Security issue | |
| System config file | ✅ Could appear but should not have SUID | |
| Script intended to elevate later | ⚠️ Very bad practice | |
| Malware staging technique | ✅ Likely case |
**WP rule: treat unexpected 4644 as security incident.
WP Server Context
| Case | Interpretation |
|---|---|
| WP file flagged 4644 | Likely tampering |
.php or .sh with 4644 | Attack attempt |
| Logs or keys with SUID | High-risk misconfig or breach |
| Binary copied by attacker | Persistence path |
Security Considerations
Risks
| Vector | Threat |
|---|---|
| Latent privilege escalation | If execute bit is later granted |
| Recon/malware flag | Attack staging indicator |
| Accidental SUID on config | Privileged file exposure |
Audit Command
find / -perm -4000 2>/dev/null
Remediation
chmod u-s <file>
If file shouldn't be sensitive, reset perms:
chmod 644 <file>
Best Practices
| Practice | Reason |
|---|---|
| Do not use 4644 intentionally | No valid WP use |
| Investigate if detected | Possible intrusion |
| Restrict admin script perms | Prevent escalation |
| Use write-only upload dirs, not exec | Security layer |
WordPress Audit Steps
Scan site tree:
find /home -perm -4000
If any file under /public_html or wp-content shows 4644:
-
Remove SUID
chmod u-s <file> -
Reset proper WP perms (644 files, 755 dirs)
-
Scan malware
-
Check logs for intrusion
Go-Live Checklist
| Requirement | ✅ |
|---|---|
| Zero SUID in WP directories | ✅ |
| Monitor file perms weekly | ✅ |
| Lock write access in WP dirs | ✅ |
| Fail2Ban & AV enabled | ✅ |
Troubleshooting Matrix
| Symptom | Cause | Fix |
|---|---|---|
| SUID stuck on file | Misconfig or tampering | chmod u-s |
| Security scanner alerts | Suspicious 4644 file | Reset perms + AV scan |
| Unexpected file owner exec | Exec bit later added | Investigate + isolate |
Quick Lab
Simulate suspicious SUID file:
echo "secret" > /tmp/stage
chmod 4644 /tmp/stage
ls -l /tmp/stage
Investigate and correct:
chmod u-s /tmp/stage
Cheat Sheet
| Command | Purpose |
|---|---|
| chmod 4644 | SUID + 644 |
| chmod u-s | Remove SUID |
| find / -perm -4000 | Scan SUID |
| ls -l | Spot capital S |
Mini-Quiz
| Question | Answer |
|---|---|
| Is 4644 useful? | No — usually a mistake or threat |
Capital S means? | SUID but not executable |
| What to do if seen in WP dirs? | Remove + investigate |
| SUID valid for PHP files? | Never |
Reply **"Continue 4750" to proceed.