Apache: prevent users from browsing the server
A while back I got infected with a nasty scripts on my site.
I found a file, dir.php, that looked suspicious and it turned out it was somewhat of a multitool for exploring the system.
The thing that bothered me the most was that the "hacker" could browse my entire webserver, read /etc/passwd and lots of other stuff.
Here is a link to a .zip of the script: omg.nu/dir.zip
My anti-virus gave me a warning about a PHP backdoor just to let you know!
However, I'm wondering how do I protect myself against this?
Can I chroot every vhost so they can only read their documentroot?
What do big webhosters do to prevent users from using this scripts like this and steal information on the servers?
Thanks for any info on this!