Results 1 to 12 of 12
  1. #1
    Join Date
    Mar 2005
    Posts
    33

    Arrow securing php on our server

    Hi, am moving out of my server 'cause one malicious user using a script called php shell located at gimpster.com did some damage to our files and i wanted to know what can i do to secure the new one before changing all the users to this one?

    thanks a lot.

  2. #2
    Join Date
    Dec 2001
    Location
    NYC, NY
    Posts
    798
    enable safemode for php.. that will disable commands like system() and such so they can't run phpshell
    Blog your life away
    http://photoblog.com

  3. #3
    Join Date
    Apr 2005
    Location
    Singapore
    Posts
    302
    You need to CHMOD your server to prevent them to view your file on your server,and you can use zend optimization to encode your config or important file.

  4. #4
    Join Date
    May 2004
    Posts
    394
    use phpsuexec, this will lead you to trace the users running scripts..

  5. #5
    Join Date
    Nov 2004
    Location
    England
    Posts
    513
    Originally posted by almahdi
    use phpsuexec, this will lead you to trace the users running scripts..
    But also mean that, should a rogue script like Santy run, it'll be able to deface all scripts in the directory. Most of the time, anyway.

    Apache runs as nobody for a reason. phpsuexec just makes things easier to track, not prevent, at least as far as I understand it!

    Why don't you just ask someone like rack911.com to secure your server, and then read up about everything they list on their site so you understand what they did.

    Much safer than attempting to learn + do it yourself and hope you don't miss anything like you appear to have done already

  6. #6
    Enabling safe_mode isn't all that great a solution, since it prevents many common applications from running, it will generally cause more grief than good.

    Also, if you allow .htaccess override, it's a simple thing to turn safe_mode off by any user who has access to create a .htaccess file.

    As you run a business, its more of a common sense decision with security being in mind, you don't want people not to be able to run common applications and developers , designers make a large number of resellers and you don't really want to upset those folks by limiting them ala safe_mode.

    Make the system safe, make sure the system permissions are as optimal as they can be, by default OS's can be nailed down a bit more using simple directory permission modifications. Using some IDS system and something like libsafe, chkrootkit, rkhunter and BFD for detecting brute force. Install a good IPtables rule set to prevent many exploit applications from having the intended effect.
    All good things to do, but don't lose sight of securing the base system when you add on applications that help you in detecting and preventing hacks/exploits.

    Install mod_security with a good rule set, that is undoubtabley a good way to prevent common issues and will also cover for future exploits a lot of the time, although you do need to keep up with anything that you do.

    open_basedir is something that you could do for php, if you have a new box, enable it on that first before you get clients - Changing things after clients get all settled in just makes them unhappy as a rule, I value the clients and the income that they provide, as I mentioned, it's finding a happy balance without being too paranoid.

    My 2 cents anyway.

  7. #7
    Join Date
    Mar 2005
    Location
    Cardiff, Wales, UK
    Posts
    45
    Originally posted by DigitalN
    Also, if you allow .htaccess override, it's a simple thing to turn safe_mode off by any user who has access to create a .htaccess file.
    If you set a value in httpd.conf using php_admin_value (or php_admin_flag), that option cannot be changed using a .htaccess file, so you can use:

    Code:
    php_admin_value safe_mode on
    can it cannot be switched off in a .htaccess file then.
    Jonathan Wright (Technical Director, JAB Web Solutions Limited).

    UK Hosting and Reseller Hosting from JAB Web Solutions

  8. #8
    Join Date
    Jun 2004
    Location
    Woodinville Washington US
    Posts
    601
    is that true also for the cgi version where users can use php.ini files in their home directory?

    How would you set this on an IIS 6 (2k3 server) box that doesnt use a httpd.conf file?

  9. #9
    Join Date
    Jun 2004
    Location
    Woodinville Washington US
    Posts
    601
    Anyone? ...

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Generally the php on iis is run as a cgi
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Jun 2004
    Location
    Woodinville Washington US
    Posts
    601
    Thanks linux guy - it is installed as cgi and is not using the isapi - but I need to know how would you set this on an IIS 6 (2k3 server) box that doesnt use a httpd.conf file?

    Any clue?

  12. #12
    Join Date
    Apr 2004
    Location
    Phx, AZ, USA
    Posts
    12
    Ditto, PHP 4.3.11 on IIS6 2003 Server CGI Mode.

    Originally posted by HostCheap.us.com
    Thanks linux guy - it is installed as cgi and is not using the isapi - but I need to know how would you set this on an IIS 6 (2k3 server) box that doesnt use a httpd.conf file?

    Any clue?
    Regards,
    Jon T.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •