Results 1 to 24 of 24
  1. #1

    Question prevent of execution trojan shell scripts, like r57shell and other?

    Hello,

    Which configuration for php and server that prevent execute shell scripts ?

    Which funstions you recommend to disable ?
    Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  2. #2
    Join Date
    Jan 2005
    Posts
    231
    You can disable system, exec, shell_exec, passthru, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, popen, escapeshellcmd, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, escapeshellarg, pcntl_exec

    set display_errors off in php.ini

    Also, install mod_security with good rules if you run apache.
    I recommend you as well rkhunter with a daily cron job and daily reports sent to your email.

  3. #3
    thank you mtrc !

    How can we prevent show user list in this script ?
    Functions which you said , has been disabled but client can find users of server . I don't want to they can !
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  4. #4
    Join Date
    Jan 2005
    Posts
    231
    What script do you talking about?
    Set safe_mod On and also open_basedir to something you want to allow: eg /tmp/:/home/user/blabla/.

  5. #5
    Join Date
    Sep 2005
    Location
    With My Laptop
    Posts
    5
    make sure that safe mode is on , and check disable functions and add those functions

    "exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_ex ec"

    don't forget to check your php version because the php 4.4.3 and php4.4.4 vuln , and also 5..

    and as mtrc said , mod_sec can stop some php attacks if you are using good rulez with it .

  6. #6
    Hello ,

    Thank you for your help .

    I set safe_mode to ON in htaccess but I can't see the result in phpinfo ?

    My technical support say that if you following phpinfo it will show you the result of global php. it will not show the .htaccess result.

    Does he say correct ?

    I check my server by r57shell script .
    [url removed]

    By this script we can get users list in my server but there isn't work that location :
    [url removed]

    How can I prevent to get user list by these scripts ?
    Last edited by bear; 11-07-2006 at 07:26 AM.
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  7. #7
    Join Date
    Jul 2002
    Location
    Florida
    Posts
    285
    I wouldn't post links to open phpshell's on your server, here.
    Mark

  8. #8
    what's your mean ?
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  9. #9
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    So, if I understand this right:

    1. You've placed a php shell on your own account.
    2. You haven't protected it in any way.
    3. You've posted a link to it on a public forum.

    Don't you see that this might possibly cause you a problem?
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  10. #10
    Join Date
    May 2006
    Posts
    1,398
    disabling the functions and using the mod security and rules from gotroot.com is a big help, you will have to keep an eye on the audit log for a few days to prevent false positives but its what you need. It blocks c99, r57, php term and a few others.
    Disabling functions helps but mod security is almost a must to stop these. c99 will work with shell exec disabled, safe mode on. amd other functions disabled so blocking the string is what you need. Plus you will be able to see how and where they were executed.

  11. #11
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    Quote Originally Posted by constantine
    I check my server by r57shell script .
    Links removed. Really not a good idea to do this, there are some folks that read forums that aren't very nice and may do you harm.
    I would highly suggest you change the file name or remove these from your server before something bad happens...

  12. #12
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Which configuration for php and server that prevent execute shell scripts ?
    None
    Someone will always find a way around your "configuration". The best response? Enforce proper scripting, and proper administration. Don't disable functions that are USEFUL just because you don't know how to look for problems.

    Disabling php functions will cost upset and unhappy clients, meaning money, and poor feedback.
    On the other side, running php with proper patches (protection, mailheaders) will not disable most (most) scripts. While this won't "secure" your server, it WILL assist you in getting things to that end, and prevent a LOT of global exploits.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  13. #13
    Quote Originally Posted by bear
    Links removed. Really not a good idea to do this, there are some folks that read forums that aren't very nice and may do you harm.
    I would highly suggest you change the file name or remove these from your server before something bad happens...
    Thank you bear ! but those link aren't mine !
    those are a sample in the web that show how does they work !

    Dear SecureServerTech ! thank you for your help and your good link ( gotroot.com ) .

    I don't want to change safe_mode to on ! beacuse of some portals wouldn't work .
    I try to disable it in my website by htaccess .
    how can I check safe_mode is enable in my host ?
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  14. #14
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Upload a phpinfo page and check for safe_mode - it will tell you whether it's on or not. I also agree with linux-tech on this, disabling php functions isn't a solution and will break production servers more than help them because of lack of poor admin skills to tackle the problem at hand.

    Why not just disable PHP altogether if you're going to disable half the functions for it
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  15. #15
    OK ,

    Thanks for your help .

    I enabled safe_mode by htaccess but it show off in phpinfo page yet !
    My technical support say that if you following phpinfo it will show you the result of global php. it will not show the .htaccess result.
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  16. #16
    Join Date
    Jan 2005
    Posts
    231
    > My technical support say that if you following phpinfo it will show you the result > of global php. it will not show the .htaccess result.

    That's definitely not true! Put a php file that calls phpinfo under account you need the info. It will show you if safe_mode is enabled or not for that account.

    Also, try
    php_admin_value safe_mode 0
    then
    php_admin_value safe_mode 1
    under your virtualhost or htaccess.
    and run phpinfo for both options.

  17. #17
    I added php_admin_value safe_mode 0 into .htaccess .
    and I get Internal Server Error in browser .

    Your syntax is wrong !
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  18. #18
    php_admin_flag name on|off

    Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag can not be overridden by .htaccess or virtualhost directives.

    refer : http://us2.php.net/configuration.changes
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  19. #19
    Join Date
    Oct 2006
    Location
    uk
    Posts
    448
    safe mode isnt that safe btw

  20. #20
    Join Date
    Jan 2005
    Posts
    231
    Add this rule under virtualhost then, it will work for sure.

  21. #21
    Quote Originally Posted by mtrc
    Add this rule under virtualhost then, it will work for sure.
    php_admin_flag name on|off

    Used to set a boolean configuration directive. This can not be used in .htaccess files. Any directive type set with php_admin_flag can not be overridden by .htaccess or virtualhost directives.

    Coud you explain more ?
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  22. #22
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    are you using phpsuexec?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  23. #23
    are you using phpsuexec? NO
    --Nick--
    Ban Giay nam gia re
    Ban Giay luoi nam gia re

  24. #24
    Join Date
    Nov 2004
    Location
    Australia
    Posts
    1,683
    I'd recommend using phpsuexec, it will make your server a lot more secure. If you're not sure how to switch over, hire someone to do it for you. The main problem is making sure you correct script and directory ownerships after changing over.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •