Home/ Questions/Q 6193003
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T03:02:35+00:00

Recently I’ve ran into some security issues where a cracker has found an exploit

  • 0

Recently I’ve ran into some security issues where a cracker has found an exploit in website code to upload arbitrary files, one of which was a “PHP Shell” that gave them all kinds of cracking tools and apache level access to the server.

While the exploit has been fixed and files removed, for the sake of locking down the Linux server I’d like to make it so that any files owned by apache (the user that apache runs as) can’t be executed as PHP. All PHP files that are legit are owned by different users.

We do need to keep directories writable by apache because we do have various CMSes installed that allow for users to upload images and documents. Another option I know we can do is turn off php for those directories writable by apache, but since it would need to happen to hundreds of domains on multiple servers, I was hoping to do a more “global” fix so that I wouldn’t have to make sure the list of directories exempted from PHP is always up to date, etc.

Thoughts?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Really, it seems to me that the most secure option is probably to disable PHP in any directory where files will be written, as any other approach seems likely to be brittle. You could modify mod_php (or, if you’re using FastCGI, the way FastCGI processes are spawned), though these approaches seem fairly involved.

    If you’re intent on using this using owner (and, I would recommend, also permissions to ensure that it isn’t just a world-writable PHP file someone found), then one kludge you could do is using auto_prepend_file in php.ini.

    This lets you put some PHP code in a file which will be required at the beginning of all PHP scripts. You could write, in PHP, any logic you needed to validate that the file should run (and forcefully exit otherwise). You could even send an email to the administrator or take some other appropriate action in the case where the script should not run.

    http://www.php.net/manual/en/ini.core.php#ini.auto-prepend-file

    But as I said, this approach is very much a hack. It’s much better to disable PHP support in any directory writable by the web server, rather than relying on ownership.

    • 0