The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

php.ini security problem

Discussion in 'Security' started by mnmhm2004, Oct 25, 2008.

  1. mnmhm2004

    mnmhm2004 Member

    Joined:
    Sep 26, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    i have a big big problem !

    i have a server with many domains

    one of domains is hacked and the hacker upload "php shell" file and make a php.ini in my client account and disable the safe_mode=off

    so he get access to tmp dir and upload a backdoor file

    the csf alert me :

    File: /tmp/bds
    Reason: Binary executable
    Action: No action taken

    i delete the file
    but i want to prevent this kind of disable safe_mode

    my config :

    php 5.2.6 & apache 2.2.9

    PHP 5 Handler :suphp
    Apache suEXEC : on

    some of my php config :

    safe_mode = On

    open_basedir = "/home:/home2:/usr/lib/php:/usr/local/lib/php:/tmp"

    disable_functions = "dl, exec, shell_exec, system, passthru, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close,

    pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, escapeshellcmd, escapeshellarg,

    show_source, posix_access, posix ext, ftok, proc_open, allow_url_fopen, phpinfo"

    include_path = ".:/usr/lib/php:/usr/local/lib/php:/home:/home2:/tmp"

    any help ?
    all comment appreciated

    thanks in advance
     
  2. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    You should run /scripts/easyapache or Apache update through WHM and choose 'Safe PHP CGI' under the 'Exhaustive Options' list. This will prevent users from overriding php.ini.

    Also, I'd recommend running /scripts/securetmp to make sure your /tmp partition is mounted nosetuid,noexec.

    Do you see any evidence that the attack has gained access above account level?
     
  3. mnmhm2004

    mnmhm2004 Member

    Joined:
    Sep 26, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Thanks cpaneldave for your post , i really apprciate it
    :)

    for the "Safe PHP CGI" if i enable this option . how my users turn off some php variables like register_globals ... etc ??

    for the attacker , i think he just upload backdoor to tmp folder
    i secured tmp folder by /scripts/securetmp

    thanks again
     
  4. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    All these options will have to be configured in the system php.ini.

    I'm unaware of a way to prevent php.ini overrides per user but also give them specific options.
     
  5. mnmhm2004

    mnmhm2004 Member

    Joined:
    Sep 26, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    thanks a lto for your reply


    is there any way to change the php.ini setting for one account only ( one user) ?

    thanks
     
  6. mnmhm2004

    mnmhm2004 Member

    Joined:
    Sep 26, 2006
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    Hi
    i rebuild apache with enable " Safe PHP CGI "
    but this not solving my problem

    still if hacker make a php.ini file with disable safe_mode
    it disable all php config ?

    any ideas ?

    thanks in advance
     
  7. DaveUsedToWorkHere

    DaveUsedToWorkHere Well-Known Member

    Joined:
    Dec 28, 2001
    Messages:
    689
    Likes Received:
    1
    Trophy Points:
    18
    You need access to the filesystem to add a php.ini file. One that is added inside the user's home directory will only affect their account.


    After enabling SAFE PHP CGI, you're still able to add php.ini settings ina user's .htaccess or php.ini?

    If so, please submit a support request so we can see why this is happening. See my signature for the link.
     
Loading...

Share This Page