PHP.Shell-38 Found

yatinthakur · Sep 29, 2014

Hello

While daily server scan I found some files with result : PHP.Shell-38 found . When I tested those file found its very risky.

How can I prevent user for accessing/uploading these types for files

I found that by setting shell_exec in php.ini will stop access those file. but as I am having suphp on server , users can override rule by creating own php.ini in their account.

There mus be some way to block it but how ?

PlotHost · Sep 30, 2014

yatinthakur said:
How can I prevent user for accessing/uploading these types for files

By using something like ConfigServer eXploit Scanner (cxs)

yatinthakur said:
I found that by setting shell_exec in php.ini will stop access those file. but as I am having suphp on server , users can override rule by creating own php.ini in their account.

There mus be some way to block it but how ?

Read here http://forums.cpanel.net/f185/metho...ricting-who-can-use-php-ini-files-167186.html

cPanelMichael · Sep 30, 2014

Hello

Yes, as mentioned in the previous post, the following thread provides information on how to restrict users from modifying the php.ini file when suPHP is enabled:

Methods to increase security with suPHP

Thank you.

quizknows · Sep 30, 2014

These files are generally uploaded through old CMS software and/or out-dated CMS plugins. On the domain you found the file on, make sure you update all software (i.e. wordpress, joomla), themes, components, and plugins. Also change the administrator password for the CMS.

You can do all sorts of things to secure your server, but if your customer installs a vulnerable CMS plugin, there is very little you can do to stop it from being hacked, aside from a very good ModSecurity rule set.

24x7server · Oct 1, 2014

Hello,

if you are getting this file in the LMD ( Linux Malware Detect ) scan report, then I will suggest you enable " MODSECURITY2 UPLOAD SCANNING " with the LMD and mod_sec. Please check it at https://www.rfxn.com/appdocs/README.maldetect

yatinthakur · Oct 2, 2014

24x7server said:
Hello,

if you are getting this file in the LMD ( Linux Malware Detect ) scan report, then I will suggest you enable " MODSECURITY2 UPLOAD SCANNING " with the LMD and mod_sec. Please check it at https://www.rfxn.com/appdocs/README.maldetect

Thank you sir..

Its working... ! Cheers !

24x7server · Oct 4, 2014

Hi Dear,

It's nice to hear that your issue has been fixed.

Thread starter	Similar threads	Forum	Replies	Date
C	User killed the server with php-cli. Shell fork bomb protection not working?	Security	3	Oct 26, 2020
	SOLVED Possibly Remove Shell PHP Exploit?	Security	3	Dec 12, 2016
	shell_exec() has been disabled for security reasons in /usr/local/cpanel/whostmgr/.../logger.php	Security	6	Sep 20, 2015
F	SHELL.PHP files founder under many accounts !!!	Security	3	Oct 2, 2013
N	found php shells- how were they uploaded?	Security	6	Mar 25, 2013

Search

Search

PHP.Shell-38 Found

yatinthakur

Member

PlotHost

Well-Known Member

cPanelMichael

Administrator

quizknows

Well-Known Member

24x7server

Well-Known Member

yatinthakur

Member

24x7server

Well-Known Member