stop specific PHP code from executing?

Portal Home > Knowledgebase > Articles Database > stop specific PHP code from executing?

Posted by jaymef, 10-01-2008, 05:30 PM
Recently a server I manage has been hit with some sort of PHP hack. A PHP file is being uploaded with a randomly generated file name to a randomly generated directory name. From what I can tell the PHP script is called by the attacker through a browser and it is used to inject spam links/java script exploits into index files. I removed all affected files as well as the source php files that were uploaded. What I want is to be able to check for this in the future. It would be great if I could some how kill any php script trying to execute this certain code. Is there any way that this can be done? Would mod_security work? The server is a typical LAMP configuration. Here is the code in question, any suggestions on how I can possibly prevent it from being executed in the future would be appreciated: Last edited by jaymef; 10-01-2008 at 05:38 PM.
Posted by The Universes, 10-01-2008, 10:59 PM
Yes, you can use mod_security to prevent some of these attacks, depending on the attack vector, but the more important thing to do is to secure the scripts that are allowing this.
Posted by JulesR, 10-02-2008, 04:46 PM
I notice the above PHP code utilises system calls: I'm going to mention something extremely contraversial around these parts, and that is that you look into disabling system calls via the 'disable_functions' option of PHP. Before the inevitable backlash from the "disabling functions causes more harm and inconvenience than good" protestor(s), the entire "argument" is a matter of personal preference and should always involve your OWN research before making a decision. My recommendation to get an instant layer of protection against this attack, without a fair amount of work reconfiguring your system and creating your own custom rules, is to disable the system function of PHP.
Posted by activelobby4u, 10-02-2008, 06:04 PM
exec,system,shell_exec,passthru >> bare minimum to disable in php are those
Posted by Tim Greer, 10-03-2008, 12:47 AM
I would agree about disabling exec, sys calls, particular functions most users don't use, implement mod_security and other things to limit, restrict, control and protect (and you can allow, in a controlled manner, per user after the fact in a safe way, so no user sites are adversely affected), but ultimately if the script isn't secure, there will be too many ways someone can exploit a weakness. Insecure code in a script can't be always overcome, unless that script's issue is resolved, so take measures as well as locating the scripts being exploited, and ultimately do both. To help prevent weak scripts from being abused in the future, and resolve any known issues with existing scripts.
Posted by Sheps, 10-03-2008, 07:54 AM
I would like to point out, that while disabling system calls is great, if the code was properly sanitized, you would not have this sort of issue in the first place.
Posted by Tim Greer, 10-03-2008, 04:36 PM
That's true of a lot of things, I agree, that's the basis of the problem in almost all cases, but with servers that hold shared, reseller clients, etc., whom you can't know if their code is secure, or if they use secure scripts, it's sometimes a good idea to disable the commonly exploitable functions and enable them on a case by case basis for the users that need/want them, whom are more knowledgeable about the scripts they use, since most users might not ever be using such functions, for example. The same with a lot of things, of course, not just scripts, but no doubt that it's the heart of most problems.

Add to Favourites Print this Article