Protecting against PHP shells

November 7, 2016 by Paweł Biernacki

The less known feature of PHP is the option to disable certain functions and classes. It may help securing your application and web server by blocking rarely used, from the perspective of pure web experience, functions.

Web-shells and reverse shells are tools used after exploitation to get access to underlying host, just like you’d connect to it via ssh. It allows the attacker to perform further attacks on other systems, perform data extraction from your database, etc. Most of the known web-shells in PHP can be easily made unusable by blocking just few functions like system or exec. Usually, you should also disable the phpinfo function as it can be used to gather additional information about your hosting environment.

Correct set will depend on your application, but here is one tested on Wordpress:

1
2
    $ grep ^disable_functions php.ini
    disable_functions = chgrp, chmod, chown, dl, eval, exec, fsockopen, lchgrp, lchown, link, passthru, pcntl_fork, phpinfo, popen, proc_get_status, proc_nice, proc_open, proc_terminate, posix_initgroups, posix_kill, posix_mkfifo, posix_mknod, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, shell_exec, show_source, stream_select, stream_socket_client, stream_socket_server, symlink, system

Remember that disabling functions is just one of the layers of good protection!

Don’t forget to keep the environment up to date and consider using an application level firewall.

Posted in: Security Web Development