PHP/RFI Sandbox

by Rostislav Skudnov for The Honeynet Project

I suggest creating a sandbox for PHP scripts used by attackers. It will use and extensions to PHP like 'funcall' and 'APD' to create callbacks for functions related to network and filesystem access. Those callbacks will capture all network traffic and changes to files initiated in a given PHP script. Features like chroot() and SuExec will be used to isolate that malicious script from the system. I've made a prototype can be found here: http://dimensio.dc.turkuamk.fi/sandbox/sandboxindex.php