Which configuration for php and server that prevent execute shell scripts?
Which funstions you recommend to disable?
Like shell_exec, passthru, proc_open, proc_close, proc_get-status, proc_nice, proc_terminate, exec, system, suexec, popen, pclose, dl, ini_set, virtual, set_time_limit
one of my client account has just been hacked with c.100 exploit. This method injects 1 php file that acts like fully featured file manager. This hacker use my client account to place multiple scam & phissing sites
now i'm wondering if this kind of exploit hacking have a way to counter them as my friend that there aren't any proved method untill now :-/
This is the php file i've recovered:
<<url removed>>
FYI, my server configuration:
- apache 2.2.11
- centos 5.2
- cpanel + whm 11.24.4
- suphp, clamav & modsec enabled
Do any1 know how to change jail shell to normal shell?
View 14 Replies View Relatedproblem on some big DB driven sites in PHP.
Lets say I have a file, doesnt even need to have any PHP functions in the document, could be just pure CSS / images. Say I have a copy of this file named something.html and a copy named something.php, the php one takes about 5 times longer to load than the html page. You can see 90% of the page loads and then it sticks with the loading bar nearly fininshed, waits a while and then pings to finished and the remaining parts of the site load (usually footer links etc).
This has me stumped, even has my hosts stumped. Would any one have any idea why this may happen? Something to do with the installation directory of PHP or location of php.ini?
This is on a Windows 2003 machine running IIS6, I have tested the same files on a Linux installation and its perfectly fine.
I am trying to run a php script on our server to split a very large file. As a result of the file size the script is timing out with this error:
Fatal error: Maximum execution time of 30 seconds exceeded in [url]on line 155
How can I extend the server execution time to the script can complete? I have cpanel with WHM installed.
i always get :-
Fatal error: Maximum execution time of 30 seconds exceeded in /home/ante/public_html/me/classes/http.php on line 418
Warning: fclose(): supplied argument is not a valid stream resource in /home/ante/public_html/me/classes/other.php on line 145
when i try upload big files (up 140mb to my vps using RapidLeech
and here my php.ini
[url]
i chnaged the php.ini to the new value and restart http only
my vps info
safe mod : on
Operating system: Linux
PHP version: 5.2.5
Apache version: 1.3.41 (Unix)
During the last couple of weeks my main server has started acting weird.
Sometimes(often) when accessing my site, I get a page saying that server or location could not be found. Reload and "bam" page loads again. Average load on the server is 0.50
When executing scripts (I.E uploading files using web2ftp or cp file manager) server shuts the connection after a few seconds and say page cannot be found.
I set the execution time in php to 60sec, so this is not the issue.
When I ping the server, I do not get any packet losses.
Before this thread happens, don't tell me to chmod the file to have execution privs. I want umask to work properly, with no seperarate chmod required.
For some reason, on every single system i've tested this on, linux, freebsd, vps, standalone server, fresh install of operating system, any time I test this, it ends up with the same issue.
Running `umask 000` should result in files created from that point on having a chmod of rwxrwxrwx. However, they always end up having a chmod of rw-rw-rw.
If I create a directory after setting the same umask setting, the directory ends up with rwxrwxrwx.
Code:
root@bonkers[/usr/local/etc/php/umask] $ umask 000
root@bonkers[/usr/local/etc/php/umask] $ touch 000
root@bonkers[/usr/local/etc/php/umask] $ mkdir d0
root@bonkers[/usr/local/etc/php/umask] $ ls -la
total 10
drwxrwxrwx 5 root wheel 512 Dec 6 03:31 .
drwxr-xr-x 4 root wheel 512 Dec 6 03:21 ..
-rw-rw-rw- 1 root wheel 0 Dec 6 03:31 000
drwxrwxrwx 2 root wheel 512 Dec 6 03:21 d0
I just installed a fresh copy of centos 4.5, updated some programs and installed chkrootkit. When i run # ./chkproc, it shows the following output:
# ./chkproc
You have 14 process hidden for readdir command
You have 14 process hidden for ps command
Searching for LKM trojans shows the following output:
# ./chkrootkit -x lkm
EXE 9994: /usr/sbin/named
CWD 9995: /var/named
EXE 9995: /usr/sbin/named
CWD 9996: /var/named
EXE 9996: /usr/sbin/named
CWD 9997: /var/named
EXE 9997: /usr/sbin/named
CWD 9998: /var/named
EXE 9998: /usr/sbin/named
CWD 26293: /var/lib/mysql
EXE 26293: /usr/sbin/mysqld
CWD 26294: /var/lib/mysql
EXE 26294: /usr/sbin/mysqld
CWD 26295: /var/lib/mysql
EXE 26295: /usr/sbin/mysqld
CWD 26296: /var/lib/mysql
EXE 26296: /usr/sbin/mysqld
CWD 26297: /var/lib/mysql
EXE 26297: /usr/sbin/mysqld
CWD 26298: /var/lib/mysql
EXE 26298: /usr/sbin/mysqld
CWD 26299: /var/lib/mysql
EXE 26299: /usr/sbin/mysqld
CWD 26300: /var/lib/mysql
EXE 26300: /usr/sbin/mysqld
When i stop mysql and named, and run # ./chkrootkit -x lkm again, it doesn't show anything. When i turn mysql and named back on, it starts complaining about compromises again.
Can it be a false alarm, or should i really be worried? What do you advise me to do now?
Cacti version 0.8.6i has vulnerability: [url]
Solution: [url]
At times as I'm developing, due to some coding error in PHP on my part, particularly calling a COM object, the apache server crashes. I'm delighted that it recovers, but in so doing it always tries to rerun the query that crashed it, which just causes another crash, and so on. Is there some way of getting round this, so that it recovers but the problematic code is not rerun?
XP SP3 (still!)
Apache/2.4.3 (Win32) mod_fcgid/2.3.7 PHP/5.4.9
Firefox (Aurora)
I just installed zen cart on my webhosting and after few days later i saw some file written like core1405.php and when i open to view the file it is actually trojan c99shell.
I have deleted all of the core file. Now how can i prevent it from happen again? Cause it is too much work to clean up the hosting server.
We have a client claming that she gets a Trojan warming when she trys to access her website but using the Trojan scan in cpanel doesn't show anything.
What can we use to scan for Trojan?
i have an site on my server when i open it the kaspersky anti viruss detect there is an trojan in this site .. ( see the picture in the attachment )
and i checked the server from the whm and there is result 15 POSSIBLE Trojans Detected
How i can solve this ?? and remove this trojans .
I just ran a scan for trojan horses in WHM and it came up with "687 POSSIBLE Trojans". WTH? Are these real trojan horses? If so, how do I remove them?
View 2 Replies View RelatedAs usually I do monthly scan to all files on my site,today I download all backup site into my PC,then scanning them using Norton Antivirus and on one site files Norton detected PHP.Backdoor.Trojan.
I take a look file location and found current file with name xTgsj78Jn.txt
Then I go to my server where site hosted,and i go to the directory and found file above stay on there,I try many time to delete it but always get an error message "Permission denied",I try to change permission but always returned an error.
When deleted it i use command rm -r with root access,then I do ls -l and found details file like below.
-rwxrwxrwx 1 nobody nobody 137787 Mar 19 20:14 xTgsj78Jn.txt*
Please help me to delete this file.
FYI this file uploaded to my hosting file site.
Have the same case for 4 servers (web and pro), the menu in plesk could not show another choice, only fastcgi.
Handlers look like ok:
root@serveur:~# /usr/local/psa/admin/sbin/php_handlers_control --list
id: display name: version: type: cgi-bin: cli-bin: php.ini:
module 5.4.4 5.4.4 module /usr/bin/php5-cgi /etc/php5/cgi/php.ini
fastcgi 5.4.4 5.4.4 fastcgi /usr/bin/php5-cgi /etc/php5/cgi/php.ini
cgi 5.4.4 5.4.4 cgi /usr/bin/php5-cgi /etc/php5/cgi/php.ini
[code]....
How to force to display php module ?
while plesk was trying to update automatically (as per the normal preference settings) but suddenly gave this error
Execution failed.
Command: autoinstaller
Arguments: Array
(
[0] => --select-product-id
[1] => plesk
[2] => --select-release-current
[3] => --upgrade-installed-components
)
Details: Doing restart of Parallels Installer...
File downloading products.inf3: 100% was finished.
File downloading plesk.inf3: 10%..20%..30%..40%..50%..60%..70%..80%..90%..100% was finished.
File downloading ppsmbe.inf3: 17%..26%..37%..47%..57%..78%..88%..100% was finished.
File downloading sitebuilder.inf3: 22%..35%..48%..60%..73%..86%..100% was finished.
[code]....
ERROR: Currently installed version of product with ID 'plesk' is not available from download site anymore.Please upgrade to the next available product version to receive software updates.Seems like the RPM got damaged, but I already fixed that part, now when I put "install" I'm geting the following
Installation started in background..Getting bootstrapper packages to installation list:
Following bootstrapper packages will be installed: (empty)
----------------
Getting packages to installation list:
Following packages will be installed: (empty)
----------------
Loaded plugins: fastestmirror
Patch for plesk 12.0.18 will not be installed since it is already applied.Error: You already have the latest version of product(s) and all selected components installed. Installation will not continue.HOWEVER the "mail" and mail server configuration no longer shows in "tools & settings".
my whm Trojan scanner found 23 possible Trojans.
how can i clean my server?
I have an hosting account at OXEO.com and I have trojan problems on all my websites
The index files of all my websites show a Trojan program called Trojan-Downloader.JS.Psyme.hz
I checked my websites on Google and Google is warning users for this kind of problems for one of my websites
Does anybody here has experienced the same problem?
I ran the Trojan scan in WHM and it came up with the list below. I have a strong feeling WHM is mis-reporting these as trojans, but I thought I would ask the experts here:
Scan for Trojan Horses
Appears Clean
/dev/stderr
Scanning for Trojan Horses.....
Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/lib/libxml2.la
Possible Trojan - /usr/bin/mysqlhotcopy
Possible Trojan - /usr/bin/Wand-config
Possible Trojan - /usr/bin/animate
Possible Trojan - /usr/bin/compare
Possible Trojan - /usr/bin/composite
Possible Trojan - /usr/bin/conjure
Possible Trojan - /usr/bin/convert
Possible Trojan - /usr/bin/display
Possible Trojan - /usr/bin/identify
Possible Trojan - /usr/bin/import
Possible Trojan - /usr/bin/mogrify
Possible Trojan - /usr/bin/montage
Possible Trojan - /usr/bin/curl-config
Possible Trojan - /usr/bin/curl
Possible Trojan - /usr/lib/libcurl.so.3.0.0
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.3/site-packages/libxml2mod.so
Possible Trojan - /usr/sbin/pureauth
25 POSSIBLE Trojans Detected
Is there anything that looks fishy here?
What is a rootkit? The following link is a very good read to answer that question.
http://linux.oreillynet.com/pub/a/li...4/rootkit.html
In Summary, a rootkit is a trojan installed on your Linux server after someone has broken into it. These files are used to cover the hackers tracks, and to give the hacker tools to do more dirty work from your server.
Usage:
1. su - (change to root user)
2. mkdir /usr/local/chkrootkit
3. wget ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz
4. tar -xvzf chkrootkit.tar.gz
5. cd chkrootkit*
6. cp * /usr/local/chkrootkit
7. cd /usr/local/chkrootkit
8. make sense
Now scan your system:
1. cd /usr/local/chkrootkit
2. ./chkrootkit
chkrootkit may from time to time give false positives. If you ever get a positive or "infected hit" scan a second time. If you do get a positive hit, google the hit to research the issue and steps to correct.
Part 2 - automated chkrootkit, and emailed results.
I'm lazy, and like my server to do the work for me so I have it scan every day, and email me the results.
Usage:
1. vi /etc/cron.daily/chkrootkit
2. add the following code.
Code:
#!/bin/bash
(cd /usr/local/chkrootkit; ./chkrootkit -q 2>&1 | mail -s "Daily chkrootkt scan" you@yourdomain.com)
3. chmod 0755 /etc/cron.daily/chkrootkit
This will email you@yourdomain.com every morning with your chkrootkit results. the -q option will only show you exploits.
Removal:
If you don't like getting the emails or just want to remove this from your server:
1. rm /etc/cron.daily/chkrootkit
2. rm -rf /usr/local/chkrootkit
All files will now be deleted from your server.
how can I remove a Virus/Trojan from my website?
View 6 Replies View Relatedwhile i am restoring db (110MB) via SSH following error occur
Code:
ERROR 1064 (42000) at line 145689: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '
Fatal error: Maximum execution time of 30 seconds exceeded in ' at line 1
I get the following error in plesk i don't know how to resolve this
Unable to configure the web server: Execution failed.
Command: httpdmng Arguments: Array ( [0] => --reconfigure-all )
Details: Execution failed. Command: httpdmng Arguments: Array ( [0] => --reconfigure-server [1] => -no-restart )
[Code] .....
i see my websites are infected with some trojan.
there are some iframe tag simlilar to this in all index files
<iframe src="http://traff<<removed>>.cn/in.cgi?27" width=100 height=80></iframe>
any idea how might this iframe inserted in my codes.
i have tried to format my systems and remove all saved ftp passwords , but still this virus is comming back and the strange thing is i have website on different servers infected with same virus
any idea how this is happened and how to avoide this?
can any body help me with the Trojan-Downloader.JS.Psyme.hz remover?
i can't find an remover for linux server for this trojan.
I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost.
Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot.
I need a shared hosting provider which ranks higher than most in terms of security.
Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses.
Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE:
File generated by Rogers Online Protection Anti-Virus
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5PG8E0SM0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:25 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5GC9JZWI3gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5QBPA1ELgifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:27 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5EKTEAS82gifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:28 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5P5098OY4gifimg[4].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:29 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE5IPGNWAB0gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE55VT8B104gifimg[1].htm Trojan-Clicker.HTML.IFrame.amh
Deleted 11/5/2009 12:21:30 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE543XUDX83gifimg[2].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:21:31 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
FilesContent.IE56SLECSUQgifimg[5].htm Trojan-Clicker.HTML.IFrame.amh
Quarantined 11/5/2009 12:22:18 AM
C:Documents and SettingsuserLocal SettingsTemporary Internet
I have this error when i put import to mysql database
Code:
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '<script></script><p>ERROR: Maximum execution time of 300 seconds exceeded (Util.' at line 244
I have in domain > doemainname >
max_execution_time
Standaard
Geef een aangepaste waarde op 0
and insert in
usr/local/psa/admin/htdocs/domains/databases/phpmyadmin in the file config.sample.inc.php following command
$cfg['ExecTimeLimit'] = 70000;
but it will not work...
I have a website and all works fine, but an user said me that uses kaspersky said me my website has an trojan i don't understand how this is possible, and i'l really worried.
the trojan that appears to my user is:
Trojan-Clicker.HTML.Iframe.g
someone know why i have this trojan?
Now the users refuses to open my website!! i'm more than worried
this is an printscreen of the error: ...