0

In one of my servers I found a PHP file. A file that contains compressed and encoded code in base64, an operation that is nested two or more times.

I need to know what configuration I need to add to Apache, php.ini and filesystem to prevent or minimize the impact of it in the future. And how prevent upload of this file again if possible. Apparently it's a problem on the net, but I only care about this server.

I block some funcions I don't use like: ini_set, set_time_limit, set_magic_quotes_runtime, error_reporting, posix_getpwuid, posix_getgrgid

Do I need to change all my passwords frequently too? Limit terminal access users? Change some file modes?

nhereveri
  • 151
  • 2
  • 9
  • you don't use `error_reporting`? – Martin May 17 '17 at 19:41
  • 3
    This is far too broad a topic. You need to establish how the breach occurred and then you need to use a Search Engine to find other [very similar](http://stackoverflow.com/questions/9261707/how-do-you-permit-php-to-write-to-a-file-without-compromising-server-security) [questions](https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) on this and other [more relevant Stack Exchange sites](https://security.stackexchange.com/). Cheers – Martin May 17 '17 at 19:42
  • Did you write this PHP file yourself? It doesn't look harmful *as such*, it just looks coded to probe the site it's running on. It links to https://www.exploit-db.com/ – Martin May 17 '17 at 19:48
  • Not now. I set error_reporting for all sites to: `E_ALL & ~E_DEPRECATED` – nhereveri May 17 '17 at 20:04
  • No, I undecode and unzip the file two times. Just need to limit the script just in case this happen again. I block user uploaded files execution with apache directive: `php_flag engine off` – nhereveri May 17 '17 at 20:06
  • Limiting this specific script in this specific instance is almost worthless, that's fire-fighting and damage control, rather than any future issue prevention. You asked about **Apache, PHP and filesystem security** and the number one rule in *that* is to truly, completely limit file uploads and their abilities. Which unfortunately is still a very broad topic. – Martin May 17 '17 at 21:20
  • If you really want to limit PHP code being uploaded and used via your website, you need to explain (*edit the question*) what is being uploaded (ie images) and what purpose it is for. Different files have different methods of cleaning and sandboxing. – Martin May 17 '17 at 21:22

0 Answers0