Prevent "shell.php"?

Had someone sign up recently and they uploaded a file called "shell.php". It gave them full interactive shell access, (touch, pico, ls, rm, *) with no logging of their actions.

After killing the account, and so on, I got to wondering how to prevent this. I took a box that isn't yet populated, and used every suggested tweak to secure it (phpsuexec, open_basedir, and so on), and it still doesn't even twitch before running just as before.
Is there any way to prevent scripts like this from working? If not, what to do? I can't have people installing this on systems where I don't allow shell, and I'd rather have them go through channels to ask for this, and have them be accountable for their actions. They apparently would rather not.

Can this be fixed? Suggestions?

 

 

 

 

Top