This article introduces some techniques to introduce the defense of the PHP Trojan attack, through these aspects you can better guard against Trojan horse program.
1, prevent from jumping out of the web directory First modify httpd.conf, if you only allow your PHP script program to operate in the Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. For example, your web directory is/usr/local/apache/htdocs, so add a few lines to the httpd.conf:
Php_admin_value Open_basedir/usr/local/apache/htdocs
This way, if the script is to read a file other than/usr/local/apache/htdocs, it will not be allowed, and if the error appears to be turned on, this error will be prompted:
Warning:open_basedir restriction in effect. The File is in wrong directory in/usr/local/apache/htdocs/open.php on line 4
Wait a minute.
2, prevent the implementation of PHP Trojan Webshell Open Safe_mode, set in php.ini
disable_functions= Passthru,exec,shell_exec,system
Choose either one, or you can choose both.
3, prevent PHP Trojan read and write file directory The disable_functions= Passthru,exec,shell_exec,system in the php.ini
followed by the PHP function to process the file
Mainly has
Fopen,mkdir,rmdir,chmod,unlink,dir
Fopen,fread,fclose,fwrite,file_exists
Closedir,is_dir,readdir.opendir
Fileperms.copy,unlink,delfile
is to become
disable_functions= Passthru,exec,shell_exec,system,fopen,mkdir,rmdir,chmod,unlink,dir
, fopen,fread,fclose,fwrite,file_exists
, Closedir,is_dir,readdir.opendir
, Fileperms.copy,unlink,delfile
OK, done, PHP Trojan take we have no way, unfortunately, the use of the text database of those things can not be used.
If you are in the WinDOS platform to build Apache we also need to note that the Apache run by default is System permissions, which is very scary, this makes people feel very uncomfortable. Then let's give Apache a drop in privileges.
NET user Apache Fuckmicrosoft/add
net localgroup users Apache/del
OK. We have established a user apche that does not belong to any group.
We open the Computer Manager, select the service, point Apache Service Properties, we choose Log on, select this account, we fill in the above established accounts and passwords, restart the Apache service, Ok,apache run under low privileges.
In fact, we can also set the permissions of each folder so that Apache users can only do what we want it to do, and create a single user who can read and write to each directory. This is also the current popular configuration of many virtual host providers Oh, but this method is used to prevent this is a bit more overqualified.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
