and of course the php web site code may contain it’s own function to access the system directly, I have written a version of exec that suits my needs and won’t be disabled unless you know the function name. So they could still get in with disabling all the ‘known’ functions. I have tested this out, and with a custom function you can still get in. With code I have written you would have to disable
- proc_open
- fwrite
- fclose
- stream_get_contents
- proc_close
but there are bound to be other methods to achieve this, maybe a full code review is a better option in this case rather than making stabs in the dark as to how the attacker is gaining access