It seems that I was hacked! Two night’s ago we found some php files in a web account (our web account with restricted aces).
I do not understand why the php file is not limited to account folder? Unfortunately safe mode was not activated and the acces for the “user” was almost full. From 10.03.12 they executed more than 5441 comands via web interface. Unfortunately virtualmin does not edits “base directory” option in php for the account when activating. Our sistem is completly compromised, our gamepanel scripts where compromised (the source files), users passwords, servers, web databases and backups, everything.
Maybe in pro version exists, but, if not, my opinion is that you should make something like “Recommendations”, where master admins can see and understand some basic protection rules and base directory should be edited by default for that web account. My users doesn’t have ssh acces, and ssh port is open only for some ip’s. I have more than 30 web accounts. Now i have to start checking if some admin accounts where duplicated in they databases.
If any virtualmin admin whants the file’s please PM i’m not going to attach that idiot file.
Sorry to hear that someone broke into your web app!
We’d encourage you to implement whatever security measures you feel are necessary to protect your users.
Unfortunately, everyone has different ideas as to the best way to do that.
Virtualmin uses the defaults of the distribution that’s installed – and most distributions don’t set open_basedir or safe_mode by default, since they can cause problems with some applications.
You’re welcome to change those though.
Changes to the PHP configuration can be made in $HOME/etc/php.ini for an existing domain, or in /etc/php.ini (in CentOS) or /etc/php5/cgi/php.ini (in Debian/Ubuntu) for all new domains.
Some folks have found the Apache module mod_security to be helpful in preventing some forms of unauthorized access.
Also, I’ve had good luck using this app here for searching for web-based malware: