The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

hack with a php script

Discussion in 'General Discussion' started by hmos11, Aug 13, 2005.

  1. hmos11

    hmos11 Member

    Joined:
    Apr 30, 2005
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    one of my customers notify to me that he can browse the server harddisk, he also sent to me some db password for my website that stored in a php, that show to me he is right.

    Also before in the Goto Server Setup =>> Tweak Security
    I enabled the: php open_basedir Protection and mod_userdir Protection

    for now I block ls,dir,echo,cat and some commonds.

    What's the problem?
    Why he can view all files with any group permission?
    Is it a security hole?
     
  2. IberHosting

    IberHosting Well-Known Member

    Joined:
    Jun 1, 2005
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
    turn phpsafe mode on, and disable some php functions, in php.ini file

    I have:

    disable_functions system, exec, shell_exec, passthru, pcntl_exec, putenv, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, popen, pcose, set_time_limit, ini_alter, virtual, openlog, escapeshellcmd
     
  3. fred123123

    fred123123 Well-Known Member

    Joined:
    Jul 23, 2005
    Messages:
    74
    Likes Received:
    0
    Trophy Points:
    6
    Why don't you check the php file used to "hack" you ???

    You user seems to be a good guy since he told you. Ask him to give him the more infos he can...

    Also, install mod_sec ... and disable php commands like iberhosting said.
     
  4. IberHosting

    IberHosting Well-Known Member

    Joined:
    Jun 1, 2005
    Messages:
    124
    Likes Received:
    0
    Trophy Points:
    16
  5. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    And bear in mind that after doing this, they still may well be able to browse the sites anyway using perl scripts. One of the better ways to prevent this type of thing is to:

    1. Use phpsuexec

    2. Use /scripts/enablefileprotect

    But, basically, this is one of the many issues you live with in a shared web hosting environment and why you should be very careful in what passwords you store in files, especially php scripts and those connecting to MySQL databases. Another reason why you should never store sensitive information anywhere in a web hosting account.
     
  6. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    Addressing security issues is one of those cases where "an ounce of prevention is worth a pound of cure.". A hacker could do untold damage if they get into your system or network. And because hackers learn their trade in underground electronic communities, if one finds a way into your system you can bet that they'll let everyone else know about it.

    Hackers won't hesitate a second to use whatever means to find their way into your server to steal confidential data (personal information, credit card numbers, etc) that you maintain for your clients or customers. Their tools including worms or Trojans could be planted on your server that send out passwords or other sensitive information to a waiting sniffer. The risks are many and the consequences could threaten the very existence of your company.
     
  7. rpmws

    rpmws Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    1,824
    Likes Received:
    5
    Trophy Points:
    38
    Location:
    back woods of NC, USA
    it's hard enough to keep people from outside getting in.. The real users you give access to really have to be trusted somewhat ..but you have to watch them also. Try to screen prior to signup and do your best to watch the new ones if you can. Once they are in ..it's really soewhat of an honor system.
     
  8. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    That's what I put my "Monitor Changes script" together for. ;)
     
Loading...

Share This Page