Mohsin Sumar Zend Certified Engineer, PHP Professional, Designer & Web Developer

27Nov/090

Securing PHP application from malicious scripts

If you've stumbled across this post, then you've recently become a victim of the most famous way of uploading a malicious script to a website - PHP file uploads.

Many websites and web applications that are developed using PHP & MySQL allow users to upload files, photos and documents to the server. Normally, the upload script receives the files and moves (or writes) it to a directory (folder) with write permissions. If you are on Linux, then this would mean that your folder CHMOD value is 0777.

The Problem
The changing of CHMOD value to 0777 practically allows anyone in the WORLD to write to your folder and is therefore not recommended. However, many a times we are left with no option but to do so - depending on the servers' environment.

How can this be a problem?
This allows attackers to upload upload a malicious PHP script to your directory, which they will then execute by accessing it. This script could either be a mass-mailing script or a malicious script to gain access to your account (or web server).

The Solution
It is said that prevention is better than cure - and therefore, it is important to prevent these scripts from being executed by the server. This can very simply be done by adding a few lines of code to your .htaccess file. If your directory is supposed to hold photo files only, then the following code is recommended to prevent scripts from being executed.

It is also important to disable directory listing on these folders.

# Disable Directory Listing
Options All -Indexes

# Allow access to these file extensions only
<FilesMatch "\.(htaccess|htpasswd|ini|php|cgi|pl|phps|sh)$">
 Order Allow,Deny
 Deny from all
</FilesMatch>

The above will add an extra layer of security to your web application.

Tagged as: , , , , , , No Comments
24Nov/090

How do I extract a tar file?

Using the following command in SSH, you will be able to extract files from your tar file.

tar -xf file.tar

Tagged as: No Comments
22Nov/090

How to tar a file using SSH?

Use the following command if you want to create a tar and compress a file (or folder).

tar -czf /path/to/save/file.tar folder_or_file_name

The options used in the above command are outlined below for your understanding.

-c = create
-z = compress a file
-f = use the file mentioned instead of tape drive

Tagged as: , , No Comments
27Sep/090

SSH Commands to find files on Linux Server

If you have a dedicated server or a VPS - or any Linux machine with SSH access, the following commands may be useful to you if you are looking to find some files quickly. PuTTY is a good telnet/SSH client if you don't already have one. Let's get started.

#1: If you are looking for a particular file in /home directory

find /home -name filename

#2: If you are looking for files whose name is starting with "filename" in public_html directories only, you can use the following command:-

find /home/*/public_html -name filename*

#3: Instead of viewing your search results in command line, you can write it to file by using this:

find /home/*/public_html -name filename* > /home/filename_search.txt

#4: Alternatively, you can send it via e-mail directly from server using the command below. Don't forget to replace "Subject Here" with your email subject, and "email.address@domain" with your email ID.

find /home/*/public_html -name filename* |mail -s "Subject Here" e-mail.address@domain

I hope this was useful.

Tagged as: , , , , No Comments
25Sep/090

Data recovery from a corrupt hard disk

Earlier this week, I was transferring all my important data from my external 120GB USB hard disk to my new laptop. During the process, the transfer became unbearably slow. I decided to cancel it and reboot my computer to get a fresh start.

To my dismay, Windows Vista detects the hard drive but is unable to read it prompting me to format the drive. After a bit of reading, and trying to access the drive in different ways - I got the following error message.

Disk is unaccessible.
The file or directory is corrupted and unreadable.

It was impossible for me to let go of all my data and thus, I started looking into ways to recover it.

During the process, I realized that the format of my drive had changed from NTFS to RAW - which was rather strange. Searching through Google on Data Recovery Software, I stumbled upon a neat software called R-Studio. I downloaded its trial version to give it a try.

It took approximately 7 hours for it to scan through my corrupt hard drive - after which I could view all my folder structure & files in the hard drive. You can only preview data or recover upto 64 Kb in the demo version of R-Studio. I tested its recover data tool and was very impressed to see that it managed to recover my data.

I purchased the full version of the software for a worthy price of USD 79.99 - got the license key immediately after making payment and started off recovering my data.

Thanks to R-Studio, I have recovered most of my data - besides some that resided on bad clusters.

Tagged as: , No Comments
   

Calendar

August 2010
M T W T F S S
« Jul    
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Archives

Categories

My Tutorials

My Websites

Others

Software

Tutorial Sites