Posts Tagged ‘safe mode’

Linux PHP Disable chmod() and chown() functions for better Apache server security

Monday, July 15th, 2013

php_tighten_security_by_enabling_safe_mode-php-ini-function-prevent-crackers-break-in-your-server
I have to administer few inherited Linux servers with Ubuntu and Debian Linux. The servers hosts mainly websites with regularly un-updated Joomlas and some custom developed websites which were developed pretty unsecure. To mitigate hacked websites I already disabled some of most insecure functions like system(); eval etc. – I followed literally my previous tutorial PHP Webhosting security disable exec();, system();, open(); and eval();
Still in logs I see shits like:
 

[error] [client 66.249.72.100] PHP Warning:  mkdir(): No such file or directory in /var/www/site/plugins/system/jfdatabase/intercept.jdatabasemysql.php on line 161

Hence to prevent PHP mkdir(); and chown(); functiosn being active, I had to turn on in /etc/php5/apache2/php.ini – safe_mode . For some reason whoever configured Apache leave it off.

safe_mode = on

Hopefully by disabling this functions will keep cracker bot scripts to not create some weird directory structures on HDD or use it as mean to DoS overflow servers filesystem.

Hope this help others stabilize their servers too. Enjoy ! 🙂

Fix to sfc /scannow (System File Checker) error “The specific code is 0x000006ba [The RPC Server is unavailable.] “

Friday, December 14th, 2012

I had to fix one Windows XP computer today. The computer was in a terrible state (meak to say), the system was hanging during boot,

None of Windows recovery modes worked,  except when running it through:

Windows Safe Mode (With Command Prompt) mode (pressing F8 before Windows boot with Windows flag screen).


I followed some Usual commands to repair broken Windows XP, as the system was hanging during boot there was obviously some issues with corrupt by Viruses and Malware system binary (.exe) files or some .DLL was substituted in (C:WindowsSystem32 and C:WindowsSystem32DllCacache) with a trojanned version by some "bad ware". 

Thus the logical thing to do was to try:

sfc /scannow


from Safe Mode's cmd prompt. Instead of starting its work as usual System File Checker spitted an error:
 

Windows File Protection could not be initiate a scan of protected system files. 
The specific code is 0x000006ba [The RPC Server is unavailable.]

You can guess my amazement as I see this error for a first time in my life. Actually I don't remember if I run System File Checker scan from a Safe Mode With only Command Prompt ever so I'm not sure if this error was caused by some Virus activity which broke up the Win host, or it is due to the fact RCP Services are not loaded in Safe Mode – With Command Prompt Only.

As the message implies RCP Server is not running and sfc depends on it.

The reason for the error is Windows File Protection (WFP) was disabled by some of the Spyware or Viruses which infested the poor Win PC.

As the problem consisted in unworking RPC Services I tried launching RPC manually with command:

> net start rpcss  

This unfortunately did not succeeded (dunno why).

I've later seen another fix pointed on a couple of forums around, which is using Registry to enable SFC.

Re-enabling SFC is done by:

1. Launching regedit

2. Once launched go to the following reg settings (sub-values)

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon

Use modify on it and change value to be "0"
3. Restart windows and launch again Safe Mode With (Command Prompt Only)

There execute:

> sfc /purgecache
> sfc /scannow

This solves it however, as you never can be sure if the Install time .DLLs are not already rootkited by the Virus-es and Spywares which "posessed" the computer. It is generally a good idea to Launch the Windows Install CD, recovery console and launch SFC using it, or even try using the Windows CD (Repair) mode. Though this is a temporary work around, this system will need a re-install in very short future, or it will most likely came in the same broken state in a very while – I don't believe such an infested computer can be "cured" except with a clean CD Windows re-install.
If this method didn't work for you but something else worked for you, whether you had to fix a Win PC please drop a comment with the solution.

Disabling PHP system(); and exec(); functions to raise up Apache security on Debian GNU / Linux

Wednesday, July 18th, 2012

Disabling PHP system(); and exec(); functions to raise up Apache security on Debian Gnu / Linux

At security critical hosts running Apache + PHP based sites it is recommended functions like:

system();
exec();shell_exec();.....

to be disabled. The reason is to mainly harden against script kiddies who might exploit your site/s and upload some shitty SK tool like PHP WebShell, PHP Shell and the probably thousands of “hacker” variations that exist nowdays.

In latest Debian stable Squeeze, suhosinadvanced protection module for php5 is being installed and enabled in Apache (by default).
Simply disabling a number of functions using suhosin, could prevent multiple of future headaches and hours of pondering on who 0wn3d your server ….

Disabling the basic PHP system(); and other similar functions which allows shell spawn is not always possible, since some websites or CMS platforms depends on them for proper runnig, anyways whether it is possible disabling ’em is a must.
There are two ways to disable system(); functions; One is through using /etc/php5/apache2/conf.d/suhosin.ini and 2nd by adding a list of functions that has to be disabled directly in Website Virtualhost file or in apache2.conf (/etc/apache2/apache2.conf;
For people hosting multiple virtualhost websites on the same server using the custom domain Virtualhost method is probably better, since on a global scale the functions could be enabled if some of the websites hosted on the server requires exec(); to work OK. In any case using /etc/php5/apache2/conf.d/suhosin.ini to disable system(); functions in PHP is less messy …

1. Disabling PHP system(); fuctions through /etc/apache2/apache2.conf and custom site Vhosts

Place somewhere (I prefer near the end of config);;;


php_admin_flag safe_mode on
php_admin_value disable_functions "system, exec, shell_exec, passthru , ini_alter, dl, pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen, escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version, apache_getenv, apache_note,apache_setenv,virtual"

Disabling it for custom virtualhost is done by simply adding above Apache directvies (before the closing tag in /etc/apache2/sites-enabled/custom-vhost.com

2. Disabling PHP system();, exec(); shell spawn with suhosin.ini

In /etc/php5/apache2/conf.d/suhosin.ini add;;

suhosin.executor.func.blacklist =system, exec, shell_exec, passthru, ini_alter, dl,
pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen,
escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version,
apache_getenv, apache_note,apache_setenv,virtual

To do it directly via shell issue;;;

server: conf.d/# cd /etc/php5/apache2/conf.d/
server: conf.d# echo 'suhosin.executor.func.blacklist =system, exec, shell_exec, passthru, ini_alter, dl,' >> suhosin.ini
server: conf.d# echo 'pfsockopen, openlog, syslog, readlink, symlink, link, leak, fsockopen, popen,' >> suhosin.ini
server: conf.d# echo escapeshellcmd, apache_child_terminate apache_get_modules, apache_get_version,' >> suhosin.ini
server: conf.d# echo 'apache_getenv, apache_note,apache_setenv,virtual' >> suhosin.ini

Then to re-load the memory loaded Apache libphp library an Apache restart is necessary;

server: conf.d# /etc/init.d/apache2 restart
Restarting web server: apache2 ... waiting .
server: conf.d#

Tadam, this should be quite a good security against annoying automated script attacks. Cheers 😉