From: spamik at yum dot pl Operating system: PHP version: 5.4.13 Package: Filesystem function related Bug Type: Feature/Change Request Bug description:[feature request] log of php writes to local files
Description: ------------ As you probably know there are a lot of security bugs in current world php aplications. Using these bugs attacker executes his own code that writes to a new .php files (usualy) or modyfy existing one - putting there his malicious "botnet zombie" code. It is really hard to quick and efectivly detect changes on filesystem/kernel level, especialy if where are talking about monitoring milions of directories (as in popular shared hosting). I propose making php file write log (to a file defined in php.ini). Operations that write to local files should be logged there (file_put_contents() and all fopen() except 'r' and 'r+' mode) Log should contain: unix_timestamp<SEPARATOR>absolute path of file that used write function<SEPARATOR>absolute file of modified file <SEPARATOR> could be '\0' as it can't be in filename anyway. Other solution would be to escape paths as those can contain spaces etc. most of this code should probably go to ext/standard/file.c I've made very very crude implementation of this for myself but that is really bad code because I lack c skills. It actualy seg faults in some cases. So I wont even share it, no point. -- Edit bug report at https://bugs.php.net/bug.php?id=64437&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=64437&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=64437&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=64437&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=64437&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=64437&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=64437&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=64437&r=needscript Try newer version: https://bugs.php.net/fix.php?id=64437&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=64437&r=support Expected behavior: https://bugs.php.net/fix.php?id=64437&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=64437&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=64437&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=64437&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64437&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=64437&r=dst IIS Stability: https://bugs.php.net/fix.php?id=64437&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=64437&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=64437&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=64437&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=64437&r=mysqlcfg
