Originally Posted by LiteSpeeder
Yes, you were right!
They uploaded a PHP shell to my /forum/customprofilepics/ (chmod 777) as profilepic632436_2.php (12 days ago!!)
Can you please tell me how to stop these shells to be uploaded and even they are uploaded, restricting their functions?
I've uploaded the shell.
Set in php.ini
disable_functions = exec,passthru,system,shell_exec,base64_decode,posi x_getpwuid,phpinfo
allow_url_fopen = Off
allow_url_include = Off
That should help some. Note that with exec functions disabled, you need to set vB to use GD2 graphics library as Imagemagick won't work any more.
Here's the interesting bit from script, it tells what apps it uses:
$userful = array('gcc','lcc','cc','ld','make','php','perl','python','ruby','tar','gzip','bzip','bzip2','nc','locate','suidperl');
$danger = array('kav','nod32','bdcored','uvscan','sav','drwebd','clamd','rkhunter','chkrootkit','iptables','ipfw','tripwire','shieldcc','portsentry','snort','ossec','lidsadm','tcplodg','sxid','logcheck','logwatch','sysmask','zmbscap','sawmill','wormscan','ninja');
$downloaders = array('wget','fetch','lynx','links','curl','get','lwp-mirror');
Last edited by PSS; 11-16-2009 at 12:26 PM..