Fighting Back PHP Reverse Shell

To avoid PHP reverse shell, just disable some functions in your php.ini, and restrict PHP working directory:

open_basedir=/home/wvirt/

allow_url_fopen = Off
allow_url_include = Off

disable_functions = apache_get_modules, exec,apache_get_version, apache_getenv, apache_lookup_uri, apache_note, apache_request_headers, apache_reset_timeout, apache_response_headers, apache_setenv, c, chgrp, chmod, chown, debugger_off, debugger_on, define_syslog_var, disk_free_space, dl, escapeshellarg, escapeshellcmd,ftok, ftpexec, gid, glob, highlight_file, hypot, ini_alter, ini_get_all, ini_restore, leak, limit, link, list, listen, ls, mkdir, mysql_list_dbs, openlog, passthru, pclose, pcntl_exec, pfsockpoen, pg_host, phpinfo, popen, pos, posix_access, posix_getcwd, posix_getgid, posix_getpid, posix_getpwnam, posix_getpwuid, posix_getsid, posix_getuid, posix_i, posix_kill, posix_mkfifo, posix_mknod, posix_setgid, posix_setp, posix_setsid, posix_setuid, posix_times, posix_uname, print_rdl, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, ps_aux, ps_fill, readfile, readlink, safe_dir, satty, scandir, set_time, shell_exe, shell_exec, show_source, symlink, symlink, syslog, system, virtual

To websites that does not require PHP or provide public upload areas (where the folder owner is the apache user), add this to your virtual host in http.conf

#intranet.site.com.br
<VirtualHost *>


php_value register_globals “Off”
php_value session.cache_limiter   “nocache”

php_admin_value open_base_dir /home/wvirt/intranet.site.com.br/public_html

php_admin_flag safe_mode “On”

<Directory “/home/wvirt/intranet.site.com.br/public_html/downloads”>
<FilesMatch “\.(?i:php)$”>
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
</Directory>
</VirtualHost>

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: