Hello, Am 09. Dezember 2003 12:58 schrieb Jose de Paula Eufrásio Junior:
I got a defacing in my domains this weekend. They used and php shell to run some processes in the machine and replace all index.(html|shtml|php). They changed my users password too, and let a process in the /tmp dir running on port 80.
This doesn't sound like thinks that will run in safe mode ;-)
The thing is, if I turn on PHP Safe Mode, webmail and applications stop working (includes and execs).
This could have several reasons - see features.safe-mode.php in php documentation for details. Are there any warning messages inside your scripts (when you view them in a browser) or entries in /var/log/httpd/error.log?
There's some way to secure PHP and don't lose half of it's funcionality?
- use the open_basedir setting to restrict access to a given directory (i. e. the docroot). This also can be done per directory or per virtual host (see below) - set open_basedir and/or safe_mode per directory or per virtual host. Setup your PHP "secure" and then add to your httpd.conf <Directory /these/scripts/hate/safemode> php_admin_value safe_mode 0 php_admin_value open_basedir "/" </Directory> to disable safemode and open_basedir for a specific directory. - disable register_globals (and only enable it per directory if really necessary): php_value register_globals 1 This can also be done in a .htaccess, but requires AllowOverride Options (if the comment on php.net is correct ;-) Note: If you are running Confixx, register_globals for the Confixx directory is required :-( - if you have multiple users on your server, maybe using php as CGI (with Apache suExec) would be an option, but it has some disadvantages and some scripts won't run in CGI mode without modifikation [1] BTW:
gpgkeys: key BAEC7E8407DF65FB not found on keyserver (Or is is just a problem with my keyserver?)
Gruß Christian Boltz [1] Problems may occur with - header() (different syntax when setting HTTP status codes) - PHP Scripts used as "directories", i. e. index.php/param1/param2 (I like this way to pass parameters, but with CGI version it requires additional mod_rewrite rules :-( ) - other functions I didn't have problems with yet ;-) -- [ACPI] Du kannst da Deinen Power-Knopf konfigurieren wie Du willst. Du kannst den auch so konfigurieren, daß der PC anfängt zu singen ... [Ekkard Gerlach in suse-linux]