By Paul Tero CHAPTER 8it is advisable to disable them. You can do this by adding the disable_
functions directive to your server’s php.ini file (or php5.ini for PHP 5) or to
the file php.ini within your document root. If you search for “php disable
functions” in Google, you will find a whole list of functions which should
be disabled in this way:
disable_functions=fpassthru,crack_check,crack_close...
A quick check you can make for this type of hack is to look for all PHP
files modified recently and make sure there are no anomalies. The -mtime
-1 option tells find to only consider files modified within the last day. There
is also -mmin for minutes. This command searches all websites within /var/
www/vhosts for recently modified files ending in “php” or “inc”:
$ find /var/www/vhosts -mtime -1 ( -name *php -o -name *inc ) -printf
"%t %h/%f\n"
Sun May 12 21:20:17.0000000000 2013 /var/www/vhosts/smashingmagazine.com/
httpdocs/products/view.php
PHP hacks are difficult to detect because they are designed to not
stick out. One method hackers use is to gzip their PHP and then encode
it as base64. In that case, you may have a PHP file on your system with
something like this in it:
eval(gzinflate(base64_decode('HJ3HkqNQEkU/ZzqCBd4t8V4YAQI2E3jvPV8...
Another method is to encode text within variables and then combine them
and evaluate them:
$unywlbxc = " uwzsebpgi840hk2a jf";
$hivjytmne = " jqs9m4y 1znp0 ";
eval ( "m"."i". "croti"...
Both these methods use the PHP eval function, so you can use grep
to look for eval. Using a regular expression with \beval\b means that the