Security Introduction: PHP Script Trojan's advanced prevention

Source: Internet
Author: User
Tags chmod copy fread ini mkdir modify php script

1, prevent from jumping out of the web directory

First modify httpd.conf, if you only allow your PHP script program to operate in the Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. For example, your web directory is/usr/local/apache/htdocs, so add a few lines to the httpd.conf:

Php_admin_value Open_basedir/usr/local/apache/htdocs

This way, if the script is to read a file other than/usr/local/apache/htdocs, it will not be allowed, and if the error appears to be turned on, this error will be prompted:

Warning:open_basedir restriction in effect. The File is in wrong directory in/usr/local/apache/htdocs/open.php to line 4 and so on.

2, prevent the implementation of PHP Trojan Webshell

Open Safe_mode,

Set in the php.ini

disable_functions= Passthru,exec,shell_exec,system

Choose either one, or you can choose both.

3, prevent PHP Trojan read and write file directory

In the php.ini

disable_functions= Passthru,exec,shell_exec,system

followed by the PHP function to process the file

Mainly has

Fopen,mkdir,rmdir,chmod,unlink,dir

Fopen,fread,fclose,fwrite,file_exists

Closedir,is_dir,readdir.opendir

Fileperms.copy,unlink,delfile

is to become

disable_functions= Passthru,exec,shell_exec,system,fopen,mkdir,rmdir,chmod,unlink,dir

, fopen,fread,fclose,fwrite,file_exists

, Closedir,is_dir,readdir.opendir

, Fileperms.copy,unlink,delfile

OK, done, PHP Trojan take we have no way, unfortunately, the use of the text database of those things can not be used.

If you are in the WinDOS platform to build Apache we also need to note that the Apache run by default is System permissions, which is very scary, this makes people feel very uncomfortable. Then let's give Apache a drop in privileges.

NET user Apache Fuckmicrosoft/add

net localgroup users Apache/del

OK. We have established a user apche that does not belong to any group.

We open the Computer Manager, select the service, point Apache Service Properties, we choose Log on, select this account, we fill in the above established accounts and passwords, restart the Apache service, Ok,apache run under low privileges.

In fact, we can also set the permissions of each folder so that Apache users can only do what we want it to do, and create a single user who can read and write to each directory. This is also the current popular configuration of many virtual host providers Oh, but this method is used to prevent this is a bit more overqualified.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.