Question about security

[rvn2k]

Hi guys,

Got a small question, is there a way to prevent users from running shell commands through PHP scripts? I have found all kind of crippy things in my /tmp dir (exploits, perl spaming scripts, scanners, and more).

I can't even track what users or through what PHP are this files coming from, because the owner of this files is apache.

Any idea?

 

[tanfwc]

I guess you have to start hiring sysadmin to secure the box so you, your box is exploited due to weakness of your system.

 

[blasty]

Preventing users from running 'shell commands' through PHP is relatively easy, and you don't even need to hire a sysadmin to do it for you!

Using the "disable_functions" option in your php.ini it's easy enough to disable certain functions.

disable_functions = exec system passthru popen

I bet there's more malicious functions then the ones I listed above, so please adjust to your needs.