Prevent php script from overriding php.ini

Question

How can I prevent php scripts from overriding max_execution_time value ?

Someone found a way to inject malicious code on a server through wordpress... We are in the process of patching the vulnerability. That php code defines :

@ini_set('max_execution_time', 0); @set_time_limit(0);

That kept on crashing my apache server... Is there a way to disallow such override?

http://php.net/manual/en/ini.core.php#ini.disable-functions – Gerald Schneider Mar 23 '17 at 10:11 — Gerald Schneider, Mar 23 '17 at 10:11

score 0 · Accepted Answer · answered Mar 23 '17 at 12:53

0

OMG NO!

Your server got hacked - that was bad.

You found out about the problem because the code running starting exhibiting strange systems - that was good.

You want to prevent your system from exhibiting the systems of an attack in future - that's bad.

That it got hacked in the first case and you are now able to apply a fix which would have prevented this rather implies that the initial compromise was your fault.

answered Mar 23 '17 at 12:53

symcbean

19,931
1
29
49

Thank you, I totally agree with your point of view... We are in the process of removing injected files, preventing the script from changing the max execution time is just one of temporary countermeasures to make apache start again... The initial compromise was through a wordpress plugin... – Phlocon Mar 23 '17 at 16:25

Prevent php script from overriding php.ini

1 Answers1