The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Preventing PHP Injection

Discussion in 'General Discussion' started by cdick@ocis.net, Oct 18, 2008.

  1. cdick@ocis.net

    Joined:
    May 5, 2004
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Yo dudes,

    Recently we've been having issues on our CPanel box with people running old or outdated versions of postnuke or similar php applications that have been found to have php injection exploits.

    Of course, I've done all the typical security stuff like mounting temp directories noexec nosuid, blocking user "nobody" from compiling and wgetting, etc, but that doesn't deter these foreign children from hacking these sites and just running perl scripts. Of course, I have a set up in place that checks all the processes running as nobody against a list of whitelisted procs (httpd proftpd, etc) but it still ends up alerting me, sometimes at midnight.

    Is there anything I've missed? I thought about making /usr/bin/perl unexecutable by nobody but I figure that will break all perl CGI on the box.

    Can anyone suggest anything? I can always clean this attack up, but only after it happens. I've taken to chmod 000'ing any vulnerable script as soon as it's exploited as well, so it can't be exploited again. This breaks the users script, of course, but as far as I'm concerned, that's not really my problem :)


    I'm hoping there's something simple that I missed.

    My unending thanks go out to all of you.
     
  2. rhenderson

    rhenderson Well-Known Member

    Joined:
    Apr 21, 2005
    Messages:
    785
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Oklahoma
    cPanel Access Level:
    Root Administrator
    We have been using mod_security to stop php injection.
     
  3. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    Mod_security will stop the injections if you set your rules up correctly. There are mutliple sites that have rule sets available for free to use. You just copy them into your mod_security rule set but you will need to check your sites closely to make sure you didnt break some of the pages.

    Here is a relative complete set, We use parts of them as the complete set breaks some of our sites.

    http://www.gotroot.com/tiki-index.php?page=mod_security+rules
     
Loading...

Share This Page