Prevent the execution of PHP scripts in /home directory

A

ali-azm

New member
Joined
Aug 30, 2024
Messages
2
Hello everyone,

I’ve just joined this forum, but I’ve been using DirectAdmin for more than 7-8 years. Unfortunately, my server has been hacked recently, and a large number of PHP files have been created in the /home/admin directory. Deleting them doesn’t resolve the issue, as the files keep getting recreated.

I’m not sure how to solve this problem, but one idea that came to mind is to prevent the execution of files in the /home/admin directory. I’m using nginx and my website’s backend is written in NodeJS, so I don’t need PHP at all. I’ve only kept PHP on the server for managing firewall and CSF settings within Direct Admin panel.

My question to you experts is: how can I completely prevent the execution of PHP scripts in the /home directory? Which configuration files and directories should I modify to apply this restriction?

Thank you.
 
I don't have a suggestion for disabling PHP, but I would look in the admin users' crontab for anything that doesn't belong. The files might be re-created via cron.

And if you don't use PHP at all for anything, possibly your NodeJS app is vulnerable?
 
Thank you for taking the time to respond

These are all the steps I’ve taken so far, and I still haven’t seen any results:

  1. Modified PHP-FPM settings to block PHP execution in /home/admin, but changes did not take effect
  2. Reviewed and edited PHP-FPM configuration files, such as /usr/local/directadmin/data/users/admin/php/php-fpm72.conf, but observed no change in behavior.
  3. Suggested using php_admin_value[open_basedir] to limit PHP execution to certain directories but had no effect.
  4. I tried placing a .htaccess file in the /home/admin folder to restrict access to everything, but it didn’t work.
  5. I tried modifying the httpd settings from both /etc and /usr, adding a new rule to restrict the /home/admin directory, but it didn’t work.
  6. And many other trials and errors ...

And if you don't use PHP at all for anything, possibly your NodeJS app is vulnerable?
Click to expand...
I'm not entirely sure if Node.js is secure enough; after all, any script could have vulnerabilities. However, at least I'm confident that when PHP code is uploaded, it won't run on my server, and access won't be easily granted to hackers
 
there have many ways to prevent access php file from public.


if it's nginx_apache webserver / php-fpm,
you can use ".htaccess" to filter this or using ".user.ini"


.user.ini
Code: 
engine=off

Since your nodejs have vulnerable script, you should fixed this.

That's why you should't only use library, you must create your own filter for your security application.
 
Since they already push backdoor script to your account, so I guest they got all your source code and database already.
 
ali-azm said:
Deleting them doesn’t resolve the issue, as the files keep getting recreated.
Click to expand...
Then you have to fix the hack decently first.
But I agree with Ohm J, chances are you have to start fresh since they could have done anything with source and database, maybe more.
 
You must log in or register to reply here.
Back
Top