Web Hosting Talk






PDA

View Full Version : Prevent "shell.php"?

bear
07-13-2004, 07:09 AM
Had someone sign up recently and they uploaded a file called "shell.php". It gave them full interactive shell access, (touch, pico, ls, rm, *) with no logging of their actions.

After killing the account, and so on, I got to wondering how to prevent this. I took a box that isn't yet populated, and used every suggested tweak to secure it (phpsuexec, open_basedir, and so on), and it still doesn't even twitch before running just as before.
Is there any way to prevent scripts like this from working? If not, what to do? I can't have people installing this on systems where I don't allow shell, and I'd rather have them go through channels to ask for this, and have them be accountable for their actions. They apparently would rather not.

Can this be fixed? Suggestions?
Bashar
07-13-2004, 07:28 AM
if u use openbasedir there is no harm since they can only run it in their local shell.

logging/history can be deleted/faked even from real shell access, so no use from logging
naguib2000
07-13-2004, 07:28 AM
i think you can disable some functions in php to not allow any
shell_exec, system , exec

this can be done from php.ini file

i think it can help , but make sure that you your self are not using any shell commands from php

:)
bear
07-13-2004, 08:10 AM
Originally posted by Bashar
if u use openbasedir there is no harm since they can only run it in their local shell.
Ah, the test account was excluded from the openbasedir. That would explain why it still had access to root files. Issue solved, and thanks for pointing me to the error...
hiryuu
07-13-2004, 03:27 PM
enable the exec functions on a by-request basis. Almost no legitimate php script needs them. Of course, you can do the same thing with a CGI, and there's nothing you can do there except kill CGI entirely.
PhilG
07-14-2004, 12:18 AM
mod_security will help... make a filter to block /shell.php
Steven
07-14-2004, 01:00 AM
SecFilterSelective THE_REQUEST "/shell\.php"
darksoul
07-14-2004, 02:18 AM
that if your users aren't smart enough to rename that
file to something else.
youandme
07-14-2004, 07:16 AM
:)) disable shell_exec, system , exec funstions in PHP.ini will help you :) or you can set permit for commands ( ps ls ....)
driver51
07-14-2004, 10:20 AM
Originally posted by naguib2000
i think you can disable some functions in php to not allow any
shell_exec, system , exec

this can be done from php.ini file

i think it can help , but make sure that you your self are not using any shell commands from php

:)

Thats the one