Portal Home > Knowledgebase > Articles Database > php script that traverses the disk and damages all 777 directories
php script that traverses the disk and damages all 777 directories
| Posted by tkalfaoglu, 03-04-2010, 10:15 AM |
| It seems that someone has uploaded a script that crawls the disk, and replaces/inserts an index.html/php into all the directories it can, damaging many hostings on the same server and displaying a message of their liking.
While I search for the culprit, does anyone have any ways to prevent such things from happening in the future?
thanks, -t
|
| Posted by madaboutlinux, 03-04-2010, 10:28 AM |
| Looks like your server is pretty open to any sort of attacks. You need to perform quite a few changes on the server and the most important is enable SuPHP.
1. Enable SuPHP... you won't have to keep 777 permissions for files and directories i.e. world writable permissions are disabled...
2. Disable PHP functions which are used to execute server wide commands.
3. Enable Mod Security.
4. Secure /tmp and /dev/shm
5. Make sure kernel is a stable one.
BTW, such scripts are mostly uploaded under /tmp and is executed from there. Look at /tmp and /dev/shm to see if you find any suspicious files there.
|
| Posted by ksv2nash, 03-04-2010, 10:34 AM |
| Hello,
for that first you have to do
PHP Hardening
under this you have to do
Turn on safe_mode
Disable Dangerous PHP Functions
disable_functions = dl,system,exec,passthru,shell_exec
|
| Posted by tkalfaoglu, 03-04-2010, 11:54 AM |
| Bingo, it was indeed the /tmp --- I had not been able to harden tmp due to some problems with some installed software. Well , today I have no choice, because someone uploaded something nasty there. I nuked the nasty and made /tmp and /var/tmp and /dev/shr non-executable..
Oh yes, safe mode is now on too
Many thanks, -turgut
|
| Posted by madaboutlinux, 03-04-2010, 02:26 PM |
| Glad to know you found the script but it's not fully solved yet unless you make the above mentioned changes.
Also just an FYI, though you secure /tmp with noexec,nosuid, it is still possible to execute files under it, so it's better to perform all the necessary security settings now rather than waiting for another hack attempt.
|
Add to Favourites 
Print this Article
Also Read
