How to disallow php.ini overriding?

T

Top Line

Member
Jan 16, 2004
8
0
151
Hello

some accounts was hacked yesterday on our server and by tracking the hacking method we found the attackers was bybassing the user priviliges by this function smylink (it was disabled in /usr/local/lib/php.ini before)
+ and bybassing safe_mode and disabled functions by uploading php.ini with dafault settings on the user account..

How can we disallowing overriding php.ini?

any help will be appreciatted.

Our System
Cent 4.5
Cpanel
Cgi Module (phpsuexec enabled)


Thank you
 
P

psychodreams

Well-Known Member
Apr 14, 2004
84
0
156
:)

This shouldnt happen are you using suexec and apche compile with phpsuexec. Ive had mine set up like that for years and sites that get hacked were not able to spread across the server
 
S

sparek-3

Well-Known Member
Aug 10, 2002
2,154
269
388
cPanel Access Level
Root Administrator
There is some truth to what psychodreams is saying. If you are running PHP as CGI, then PHP scripts aren't executed by a shared username throughout the server, so there's not a lot of damage that can be done to the server, just to that specific account.

That being said, the only way I know to to disallow custom php.ini and run PHP as CGI is to use a patched suPHP system. I wrote a guide some time ago for doing a custom suPHP install on a cPanel server:

http://www.spareknet.org/howtos/suphp.php

I believe cPanel has since begun including suPHP into their new easyapache3 system, although I think it is only for Apache2. The guide I wrote only applies to Apache 1.3 and to suPHP 0.6.1. Personally, if you are just getting started with this, I might recommend waiting and seeing what the cPanel suPHP does and how it approaches this situation.
 
N

nitro777

Registered
Apr 6, 2008
4
0
51
Hello ,

You just create an empty file : .htaccess

Code: 
suPHP_ConfigPath /usr/local/lib/php.ini
Those config mean the default php config is located in the correct path

and make sure to do attrib for no change to the .htaccess for the root only could be make attrib for allow you to edit that file : .htaccess


and put the .htaccess in the /home/ directory so here each account by apache module cannot create and use another php.ini file in his account dir

thank you :)
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
D PHPMyAdmin UI has changed about a week ago Web Servers and Applications 3
G Having problems with PHP selector Web Servers and Applications 5
postcd Disallow accessing sites via server IP? Web Servers and Applications 3
postcd How to disallow some crawler globally in httpd conf? Web Servers and Applications 1
A Disallowed PHP scripts in xx7 Directories Web Servers and Applications 0
Similar threads
PHPMyAdmin UI has changed about a week ago
Having problems with PHP selector
Disallow accessing sites via server IP?
How to disallow some crawler globally in httpd conf?
Disallowed PHP scripts in xx7 Directories
Top Bottom