i am recently effected by shell uploads because of one image hosting site, its temp folder was 0777 chmod which helped hacker to upload shells using zip file executing and defacing sites in many accounts, now i want to block this type of issue in future for which i took these steps :-
1. changed all passwords of cpanel , removed all excess ftp accounts,
2.disabled these function :-
disable_functions = dl , exec , passthru , pcntl_exec , pfsockopen , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd,
3. started php_suexec
i also heard using this rule in mod_security will help me but i don't know how to use it with litespeed request filter:-
can some one please shed some light here ? also some more hints to stop these type of attacks will be helpful
thanks.
1. changed all passwords of cpanel , removed all excess ftp accounts,
2.disabled these function :-
disable_functions = dl , exec , passthru , pcntl_exec , pfsockopen , popen , posix_kill , posix_mkfifo , posix_setuid , proc_close , proc_open , proc_terminate , shell_exec , system , leak , posix_setpgid , posix_setsid , proc_get_status , proc_nice , show_source , escapeshellcmd,
3. started php_suexec
i also heard using this rule in mod_security will help me but i don't know how to use it with litespeed request filter:-
Code:
SecRule REQUEST_URI "\.php\?act=(ls|chmod|cd|sql|chown|mkdir|chdir|mv|cp|ln|rm|touch|processes|tools)" "deny,log,status:406"thanks.