How to effectively defend against PHP Trojan attack?

1, prevent from jumping out of the web directory

First modify httpd.conf, if you only allow your PHP script program to operate in the Web directory, you can also modify the httpd.conf file to restrict the PHP operation path. For example, if your web directory is/usr/local/apache/htdocs, add a few lines to the httpd.conf:

Php_admin_value Open_basedir/usr/local/apache

/htdocs

This way, if the script is to read a file other than/usr/local/apache/htdocs, it will not be allowed, and if the error appears to be turned on, this error will be prompted:

Warning:open_basedir restriction in multiplying. The File is in wrong directory in

/usr/local/apache/htdocs/open.php on line 4

Wait a minute.

2, prevent the implementation of PHP Trojan Webshell

Open Safe_mode,

Set in php.ini

disable_functions= Passthru,exec,shell_exec,system

Choose one or both.

3, prevent PHP Trojan read and write file directory

In php.ini

disable_functions= Passthru,exec,shell_exec,system

followed by the PHP function to process the file

Mainly has

Fopen,mkdir,rmdir,chmod,unlink,dir

Fopen,fread,fclose,fwrite,file_exists

Closedir,is_dir,readdir.opendir

Fileperms.copy,unlink,delfile

is to become

disable_functions= Passthru,exec,shell_exec,system,fopen,mkdir,rmdir,chmod,unlink,dir

, fopen,fread,fclose,fwrite,file_exists

, Closedir,is_dir,readdir.opendir

, Fileperms.copy,unlink,delfile

OK, done, PHP Trojan take we have no way, unfortunately, the use of the text database of those things can not be used.

If you are in the WinDOS platform to build Apache we also need to note that the Apache run by default is System permissions, which is very scary, this makes people feel very uncomfortable. Then let's give Apache a drop in privileges.

NET user Apache Fuckmicrosoft/add

net localgroup users Apache/del

OK. We have established a user apche that does not belong to any group.

We open the Computer Manager, select the service, point Apache Service Properties, we choose Log on, select this account, we fill in the above established accounts and passwords, restart the Apache service, Ok,apache run under low privileges.

In fact, we can set the permissions of each folder so that Apache users can only do what we want it to do, and create a single user who can read and write to each directory. This is also the current popular configuration of many virtual host providers Oh, but this method is used to prevent this is a bit more overqualified.