Hi, am moving out of my server 'cause one malicious user using a script called php shell located at gimpster.com did some damage to our files and i wanted to know what can i do to secure the new one before changing all the users to this one?
Enabling safe_mode isn't all that great a solution, since it prevents many common applications from running, it will generally cause more grief than good.
Also, if you allow .htaccess override, it's a simple thing to turn safe_mode off by any user who has access to create a .htaccess file.
As you run a business, its more of a common sense decision with security being in mind, you don't want people not to be able to run common applications and developers , designers make a large number of resellers and you don't really want to upset those folks by limiting them ala safe_mode.
Make the system safe, make sure the system permissions are as optimal as they can be, by default OS's can be nailed down a bit more using simple directory permission modifications. Using some IDS system and something like libsafe, chkrootkit, rkhunter and BFD for detecting brute force. Install a good IPtables rule set to prevent many exploit applications from having the intended effect.
All good things to do, but don't lose sight of securing the base system when you add on applications that help you in detecting and preventing hacks/exploits.
Install mod_security with a good rule set, that is undoubtabley a good way to prevent common issues and will also cover for future exploits a lot of the time, although you do need to keep up with anything that you do.
open_basedir is something that you could do for php, if you have a new box, enable it on that first before you get clients - Changing things after clients get all settled in just makes them unhappy as a rule, I value the clients and the income that they provide, as I mentioned, it's finding a happy balance without being too paranoid.
Originally posted by HostCheap.us.com Thanks linux guy - it is installed as cgi and is not using the isapi - but I need to know how would you set this on an IIS 6 (2k3 server) box that doesnt use a httpd.conf file?