Skip directly to: Main page content

Web Development Forum

Web security tips and resources

References

Types of attacks

Apache security

PHP security

PHP security tools

PHP configuration changes

Many changes can be made to the default configuration of PHP (mostly in the php.ini file) to enhance its security.

  • Make sure that safe mode is on
  • Check disable functions and, possibly, add these functions:
    • system, exec, shell_exec, passthru, error_log, ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, popen, escapeshellcmd, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, escapeshellarg, pcntl_exec, apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, virtual, readfile, parse_ini_file, show_source, curl_exec
      Note: be careful disabling functions because you may disable one of your own Web applications. Search for the use in your apps of any functions that you are in doubt about.
    • display_errors = Off
    • allow_url_fopen = Off
      • allow_url_fopen and allow_url_include are known sources of vulnerability. Perform a global search of your htdocs for these to see if they are being used. Disable if not.
    • register_globals = Off
    • expose_php = Off
    • open_basedir = /Library/WebServer/Documents/ (in the case of many OS X installations; your's may differ)
    • error_reporting = E_ALL
    • log_errors = On
  • Do this to let PHP log its own errors (these instructions are for OS X; details will vary for other systems)
    • # cd /var/log
    • # mkdir php
    • # chown www php
    • In the php.ini file, configure the error_log option:
      • error_log = /var/log/php/php_error_log
      • display_errors = Off
      • display_startup_errors = Off
  • Change to location for file uploads
    • upload_tmp_dir = /var/www/tmp
    • Remember to create the folder:
      • # cd /var/www
      • # mkdir tmp
      • # chown httpd tmp
  • Configure PHP to store session data at a new location:
    • session.save_path = /var/www/sessions
    • Make the directory:
      • # cd /var/www
      • # mkdir sessions
      • # chown httpd sessions
  • Also, install mod_security with good rules if you run apache.
  • Recommend as well that you run rkhunter (Rootkit Hunter) with a daily cron job with daily reports sent to your email.

Handling passed parameters

  • External variables need to be treated carefully, this is just an important aspect of a lot of code. One easy example is search engines using externally set variables:

    http://www.google.com/search?q=bees

  • Q can be manipulated by anyone and Q is both useful and not dangerous. It isn't where the variables come from, it is how you are using the variables and how you are treating ones that could be abused.
  • What you can't do is leave a door open. One alternative is (PHP Code):
<?php
        if ($id=='about') {
            include('about.php');
        } elseif ($id=='links') {
            include('about.php');
        } else {
            include('home.php');
        }
    ?>
  • With the above, someone entering www.mysite.com?id=http://evilhacks.com would just get your home page.

PHP backdoors

The server component offers many functions to the hacker who can use a normal browser as a backdoor client. Here is some of the functionality provided by a backdoor PHP script called "c99shell":

  • It is a remote file-manager that works through browser
  • Can be updated remotely
  • Has file-searching capabilities
  • Can access files via FTP and Samba
  • Can upload and download files and folders
  • Can bind /bin/bash to any port with a password
  • Can modify timestamp and access-time for any disk object
  • Can execute any PHP code
  • Can apply sha1, md5, crc32, base64 to files
  • Has built-in operations with databases (list, sort, group operations)
  • Can perform back connection to any IP address on a given port
  • Can send improvement suggestins to the author via mail()
  • Supports SQL
  • Has self-removal function

Please note that the detection is of generic kind so properties listed above do not necessarily exactly correspond to any particular malicious PHP script detected under this name.

Finding PHP backdoors

  • Search web directory structures for the following strings using grep or fgrep:
    • The r57Shell
      • r57Shell
      • RST/GHC
      • rst.void.ru
      • ghc.ru
    • The c99shell
      • c99shell
      • CCTeaM
      • ccteam.ru
      • tristram
  • Another good one to look for is "oracle", especially if you know you aren't using Oracle anywhere.
  • Try this too: "eval(gzinflate(base64_decode(": Some PHP backdoors are encoded within the file and are decoded on-the-fly and then executed.

While this list is not guaranteed to find these shells, it is based upon the publically disclosed source code for these backdoors and should find any file that has not been customized too much.

Database security

WordPress security

Tools

Passwords

Intrusion detection

Rootkit removal

Miscellaneous

  • AWStats: Version 6.7 is safe from all known exploits