Security Issue

[naz2k6]

Someone hacked a users account on my server. They uploaded a PHP file using the file manager, called imagegd.php. The person managed to steal a few things whilst using it. Upon checking it myself, the file was a ssh hack and could view the main directory and such. Does anyone have any idea on how I can stop this happening again?

Thanks

 

[Scubasteve]

define "hacked". Did he guess or break a weak password? Did they share it with someone they shouldnt have? etc etc because i doubt it is DA's fault.

Also if its a SSH hack then the most likely used root, so you need to do some serious security beefing for SSH. If you let clients have SSH, dont.

 

[naz2k6]

Hi, thanks for the reply.

The user DID have SSH access but I took it away. The point of this topic is that the user didn't use an SSH client, but rather a PHP script.

The point i'm trying to make is that using this PHP script, anyone on the server can view and access every folder.

 

[kevin01]

its a known local php vulnerability

 

[naz2k6]

I have solved the problem by adding the exec & system function to disabled functions in my php.ini file. This should stop anymore PHP attacks like this.

 

[duncan]

Could you kindly post exactly what changes to the php.in file you made?

 

[naz2k6]

Hi, look for the line with disabled_functions and add exec, system like this:

disabled_functions = exec, system

make sure it's commented out.

 

[chuckpl]

Yes you can do smth like this, but what when users got scripts using such functions... ?

The vulnerability described here is well known to be apache bug. But it can't be easily solved by a patch or smth...
I hope apache developers workin' on it (...)