How can i disable php scripts to access files outside of domain root

[avinash.pudota]

Hi,
I have a wordpress site in public_html folder and another addon domain outside of public_html folder

My wordpress site got hacked and hacker managed to modify files in addon domain also. The code in addon domain is very basic PHP which cannot have any security issues to get hacked so i am sure it was hacked through main domain.

Is it possible to block scripts of website to access files outside of the root folder?

Thanks.

 

[quietFinn]

It's probably a "shell backdoor", " A backdoor shell is a malicious piece of code (e.g. PHP, Python, Ruby) that can be uploaded to a site to gain access to files stored on that site. Once it is uploaded, the hacker can use it to edit, delete, or download any files on the site, or upload their own. "

GitHub - backdoorhub/shell-backdoor-list: PHP / ASP - Shell Backdoor List

PHP / ASP - Shell Backdoor List . Contribute to backdoorhub/shell-backdoor-list development by creating an account on GitHub.

github.com

 

[cPRex]

And in general, cPanel servers can't access files outside of their own home directory unless there are serious permissions issues on the machine.

 

[kssuhesh]

I think this is one of the disadvantages of using add-on accounts. Even though the add-on is a separate domain, the username, and permissions are the same for both main and addon domains. So normally the hacker has access to addon domains as well. Like main domain /home/user/public_html and addon domain /home/user/addondomain/ , both are accessible by the same user.

Since Wordpress is the most commonly used CMS, the chances of getting hacked are high, so a better option is secure the site, keep monitoring and update it to the latest version to avoid getting hacked.

 

[sparek-3]

Is it possible to block scripts of website to access files outside of the root folder?

You can't. That's the nature of an addon domain. While an addon domain may have a separate DocumentRoot from a primary domain name - it's all still owned by the same Linux server username. Anything that runs as that Linux server username can read/write anything else that is owned by that Linux server username.

I think this is one of the disadvantages of using add-on accounts. Even though the add-on is a separate domain, the username, and permissions are the same for both main and addon domains. So normally the hacker has access to addon domains as well. Like main domain /home/user/public_html and addon domain /home/user/addondomain/ , both are accessible by the same user.

Well... that's the cost of doing business as an addon domain.

If Bob has the primary website and Bob decides he wants another website without paying for another hosting account, then Bob can create an addon domain.

Bob is expected to be the caretaker of both the primary website and the addon website. It is Bob's responsibility to keep both websites up-to-date and secure.

However, if the scenario is that Bob has the primary website and Joe comes along and wants a website but doesn't want to pay for a hosting account and asks Bob to set up an addon domain. If Bob is relying on Joe to keep his website up-to-date and secure, then Bob's website is at the mercy of Joe's website upkeeping. That's really not the intent of addon domains.