PHP "security" - Users POV
Mar 29, 2007
Context at bottom of message.
What configuration/style of running PHP should I be looking for in a hoster? Please forgive if my questions reveal my ignorance, and I'd be ever so grateful if you could help explain things to me.
Safe mode should be OFF, correct?
Should PHP be running as a module or CGI? If CGI, please rank these from best to worst: SUhosin, suExec, suphp, phpsuexec?
Is it usual/OK for these disable_functions to be set: shell, exec, passthru - others I should watch out for?
Out of the following variables (and others you might think of), are there any which I should NOT expect to be able to change via .htaccess/php.ini?
open_basedir
register_globals
memory_limit
magic_quotes
file_uploads
upload_tmp_dir
upload_max_filesize
I'm just starting to learn PHP, but probably will be using 90% pre-coded applications - CMS, forums, mailing management. I'm looking for a good hosting company; I've got my "shortlist" list down to a dozen or so good ones with excellent reputations for reliability and support.
I want to identify which hosts will give me the most flexibility; as a user I don't want to find there are popular/important scripts out there I can't use with my account. But I still want decent security - am I dreaming or is that possible?
View 10 Replies
ADVERTISEMENT
May 19, 2008
this is not a WHMCS vulnerability, & you are most likely not affected if you have used the Further Security Tutorials, given by WHMCS.
1.) What has happened?
A professional hacker, signs up as a client, & adds a shell script to your attachments/downloads folder.
He gains complete access to your WHMCS admin, & changes your paypal & other gateway emails/accounts, to his emails/accounts.
2.) What to do?
Check your attachments/downloads folders, for any such scripts.
Use - [url]Furthur_Security_Steps to secure it.
Go to Payment Gateways, & check if the accounts are yours.
3.) How do I know so much about this?
Our installation, was also hacked. But, this hacker made a mistake.
He used his email account password, for signing up. I could get into his email, & see who has been hacked. I could also get into his PayPal & Egold, & refund all payments intended to go to LaceHost (me). I saw other host's payments too.
4.) Hacker has changed his modus operandi.
He now changes the paypal, to some other host's paypal, instead of his.
He also deleted tables from your database, may create a new administrator account, may modify other accounts, add affiliate commission etc.
5.) For more information on this hacker,
Add me on IM - lacehost [dot] live1 [at] yahoo [dot] com
6.) How many have been hacked?
According to what I saw in his PayPal, & his email, atleast 15 hosts have been hacked.
If your paypal has been changed to some other host's paypal, please do not blame them for hacking, we really do not need an inter-industry war here
View 14 Replies
View Related
Sep 6, 2013
The upgrade has an error when manage the users database.
PRODUCT, VERSION, VERSION OF MICROUPDATE, OPERATING SYSTEM, ARCHITECTURE
OS Microsoft Windows Server 2008 R2 Service Pack 1 x64
Panel version 11.5.30 Update #13, last updated at Sept 1, 2013 03:30 PM
PROBLEM DESCRIPTION
In a costumer panel have a one database MSSQL, and assign to this DB 3 users, but the tab option "Users" don't work fot his costumer and show this error:
Error Javascript:
TypeError: template is null
this.template = template.toString(); in protototype.js 8472831 (lÃnea 807)
ACTUAL RESULT
Error Javascript:
TypeError: template is null
this.template = template.toString(); in protototype.js 8472831 (lÃnea 807)
EXPECTED RESULT
Show users in the tab users for database.
View 2 Replies
View Related
Mar 25, 2009
On my server, users can connect to any database as long as they have the database user and password. This makes it easier to hack any database on the server.
What I want to do is to make the users can only connect to their own databases and not other's.
I tried changing the localhost ip address but it didn't work ( I assume I didn't do it the right way)
View 7 Replies
View Related
Apr 4, 2008
I run a web hosting company and one of my servers is a LAMP server running CentOs 5. A user of mine has a Joomla installation running to manage his website and he has run into the following problem that I am puzzled by.
When Joomla adds a component or module to itself, or when a user uses the Joomla upload functionality, Joomla will add the new files under the user name "apache". This makes sense as it is the apache service running PHP that is actually creating the files.
However, when he FTP's into the account to modify these files, he doesn't have the appropriate permissions to do so as he doesn't have a root level login, just permissions on his home directory which is the site. Any help would be much appreciated.
Also, does anyone know how to change the owner/group of a directory and all of its sub directories in Linux without changing the actual permissions? I.e. some of the files in the folder have different permissions (0644 as apposed to 0755) than its parent but if I do a top down user/group change on the folder it will change everything in that folder to 0755.
View 10 Replies
View Related
Mar 29, 2009
im on a vps and enabled ssh to other accounts but how do i know whats the loginid n password for it?
View 5 Replies
View Related
Apr 5, 2009
I have a few system administrators having full access to the Windows 2003 servers. I fear some of them might be messing up with the server like opening websites on the server or downloading files on the server. I want to create unprivileged users to login to the server so that they can do the basic tasks like reading the log files etc. Can anybody give me the steps for the same?
View 0 Replies
View Related
Apr 19, 2009
I've searched around these forums (VPS specifically) and cannot find any recent "reviews" or opinions on HostDime's VPS offerings.
Anyone using them? They seem to have the most bang/buck and I'd like to get a more recent review opinion on them.
View 4 Replies
View Related
Oct 14, 2009
we have a WHM account... we have different accounts on that...and for each account, there are add-on domains underneath that. (i hope you know what i mean)
and we set it up to use only SFTP to connect to server. no FTP.
after we have set it up that way, it seems that we can only connect to SFTP using 1 user/pass for each account... that is the same user/pass we use for Cpanel of each account.
say, i have Account A... under Account A, i have addon domains: A1.com, A2.com, A3.com...
setting SFTP only on that server, all those addon domains of Account A, can only use 1 user/pass to login to SFTP which is the cpanel access also of Account A.
question is.... is this behavior correct??
how can we create a different user for each add-on domain?
View 4 Replies
View Related
Jun 23, 2009
How can see mysql users and how can change password for a user.
For example www_user (mysql user) in shell access?
View 8 Replies
View Related
Nov 2, 2009
with webmin can I use it to add FTP users to say pure ftpd? and does it work with lighttpd? If I'm thinking about it right webmin just allows us to control the service and modify the configuration files right?
View 1 Replies
View Related
Jul 3, 2008
I hope this is in the correct section. Secondly, here is my issue that I am hoping someone can help with. I run a fairly successful video streaming site with several thousand members, and several thousand videos. I am trying to determine how many users I have online at any given time. Does anyone know of a piece of software/code out there that can provide me with this information in real time?
View 4 Replies
View Related
Jun 27, 2008
I am a server admin.
Recently, when I set up new user account, there's something strange in FTP.. ( Please check the image for detail )
Besides, all the new set up subdomain cannot use (no matter new or old user) and 404 error occur.
View 2 Replies
View Related
Sep 4, 2008
Does anyone have an experience with this host? In my search I found several favorable comments. I've been collecting different hosts names to consider from those of you kind enough to post them on your signatures. I'm with A Small Orange and am looking for a backup host, or will change the DNS to the backup if they are better.
Others I am considering are Aspire and Known Host. I'll need a shared plan. My site is anywhere from 350 to 450MB's. I try to get twice the space I need because I can have a spike here and there since clients are always downloading my voice files for their projects.
View 6 Replies
View Related
Sep 12, 2008
Does LiteSpeed webserver provides me bandwidth usage?
Someone told me that he was using 8 mbits connection and after jumping to LiteSpeed, bandwidth usage has decreased to 3 mbits.
View 6 Replies
View Related
Jun 11, 2008
I will generally have around 1-70 people browsing my forums at one time. I would like to know if 128mb of ram would be good enough for average performance?
View 8 Replies
View Related
Dec 25, 2008
I have installed LP on my system, but I have one problem...
The sites main apache runs well, but I can't get the users apache to start.
The two should be run from different ports?
View 11 Replies
View Related
Dec 12, 2007
My user said he can not view his site from his IP address. His friend from the same ISP also canot access the site.
But i can access from my ISP. So I think probably his IP address has been baned. Therefore, how can I check that? and how can i make his IP range available back?
View 6 Replies
View Related
Oct 1, 2008
Does anybody have a working Blurstorm number? I've tried 850-445-6937 which I found on the internet, but no answer.
Long story short. Signed up to host my website. Credit card charged and approved, but I never received a user name/password confirmation. I'm not able to log on to anything. It has been 4 months and they charge my cc every month which I dispute with the cc company. I can't cancel the web account. My next step is to cancel my credit card.
I have emailed 4 times, left messages at the above number, talked with the chat line. No response. This company is a scam.
Number one rule in chosing a host company, always make sure they have a working customer service number (call it and talk with someone).
View 6 Replies
View Related
Oct 26, 2008
I have a web server on my dedicated server with several web sites owned by a friend and myself. I am now wanting to setup a gameserver on the same box and will need to give someone I don't know or trust ssh access so that they can kill the gameserver and/or re-execute it as well as modify the configuration files.
How can I go about accomplishing this?
View 5 Replies
View Related
May 15, 2007
Anyone using this for VPS? Good or Bad?
View 14 Replies
View Related
Nov 18, 2007
I have a dedicated server with CentOS and cPanel/WHM
I want to know how would I limit each user usage of RAM and or CPU
I see HUGE web hosts are doing that , they give you 9999999 diskspace and 99999999 bandwidth but they limit your RAM & CPU use to a tiny number
I want to know how could I do that in order to keep my resources good .
View 7 Replies
View Related
Oct 16, 2007
We have a small Hosting reseller account at eNom. We have a new customer that moved his website from another hosting company to ours. The website is on a shared IP. Enom also uses a internal IP for internal use associated to the domain.
The problem we have is that AOL users can not see the website. As far as we can tell no other ISP's are having this problem. Everyone can see it except AOL users.
When AOL users go to the site they get "Page can not be found". After several calls to enom support and them triple checking the DNS we still have the problem.
Of course I have tried about 15 different phone numbers to AOL and I get the same automated service that wants an account name or number. Without it they won't let me talk to a real person.
Can anyone offer some suggestions before we loose a new customer?
The domain is [url]. They sell Hot Sauce..
View 15 Replies
View Related
Apr 18, 2007
Anyone started using Centos 5? Any feedback so far? I am thinking of using Directadmin on Centos 5......
View 4 Replies
View Related
Oct 5, 2009
I find it worrying when new or relatively new users post "[XYZ]VPS PROVIDER IS A SCAM" or "[XYZ]VPS ROBBED ME" in a topic because they didn't get the instant ticket response or fast enough setup time on their $10 VPS..
I'm planning on setting up a budget UK based VPS service myself some time soon, and users would do well to remember that a lot of hard work goes in to the management and set up of such providers. This kind of negative publicity can not be taken back once posted. A quick google search will throw this kind of a post up and cause irrepairable and often, completely unnecessary harm to a business..
View 14 Replies
View Related
Apr 27, 2009
I dont like users can run following code him .htaccess. How can do it?
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
Options +FollowSymLinks
Options +FollowSymLinks
View 2 Replies
View Related
May 26, 2009
In my linux vps (cpanel based) hackers have hacked the password of the user ( website owner ) and he have uploaded some hack files(PHP) through FTP. Sometimes the hacker uploads perl/CGI scripts and sends spam mails .This happens frequently in server. How the hacker gets the users password? How can i prevent my users and server from this security issue?
View 7 Replies
View Related
Apr 2, 2009
Is there any option to limit users only to upload (No other permissions like permission change, directory access etc, only upload) in FTP.. I am using PureFTP..
I have seen options to do it in ProFTP, like below,
<Limit APPE MKD XMKD READ DIRS>
AllowUser username1
AllowUser username2
</Limit>
Is there any option to set in PureFTP ?
View 1 Replies
View Related
Jun 6, 2009
I'm running a CPanel server and wondering which of these users are safe to remove and whats the best way to do that?
Code:
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:499:499:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkituser:x:87:87:PolicyKit:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:498:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:498:497:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
torrent:x:497:496:BitTorrent Seed/Tracker:/var/lib/bittorrent:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
View 2 Replies
View Related
Aug 24, 2009
I had to rebuild out web/ftp box so I built a new one. Now how do I transfer all the ftp users to the new system without change of their passwords?
I am able to trasnfer their directories and i added a line to the /etc/passwd of the new server but it fails.
View 3 Replies
View Related
Nov 1, 2009
We are starting a website in .Net for this i want to block Proxy users who using TOR , Squid , IP Hide software users etc...... for this what we need at programing level & Software , Hardware firewalls & Intrusion Detections & Intrusion Preventions will help us in prevent proxy users.
View 4 Replies
View Related
