I'm simulating hacked website - I have uploaded one php script that calls shell function in one of my websites that I host on my server. I have shell in browser and I can list root directory / and I can surf and read various files. suPHP and suEXEC are enabled in cPanel. I can probably circumvent this by enabling open_basedir tweak BUT I don't think this is going to solve the problem in a case of hacked web ie. attacker can upload php.ini file with custom open_basedir variable in php.ini file so there is no point in that. Is there some kind of another solution for this?