D
D
developer0072019-07-11 11:05:19
linux
developer007, 2019-07-11 11:05:19

If they have already filled the shell and want to merge my script?

There is a project. Proxy server and backing on nginx + php-fpm + postgres
They constantly try to break it, judging by the logs - attempts to sql injection wherever possible, into any input, etc.
There was a vulnerability in the forms that allows you to load a php script and execute it.
The hacker uploaded and wants to merge the project into the public.
How to protect yourself from this?
For example, initially on the back server itself, prohibit all connections except for the nginx and ssh proxy by key (to administer) - or is this a crazy idea?
how cool is it to set up nginx?
and how then CORRECTLY to start/install nginx? it usually goes like this sudo apt-get install nginx
Maybe you need to run php-fpm itself in a special way?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
D
dollar, 2019-07-11
@developer007

Disable nginx , then deal with it without fuss, study new files, logs, databases, etc.
You do not want to say that php can (has rights) to change system files, run any processes, etc.?

The hacker uploaded and wants to merge the project into the public.
This is a very strange statement, because this usually happens very quickly. While you are thinking what to do, the project will already be merged. Well, of course, if it's not a mega heavy base through a narrow connection. So the hacker will first merge the project, and then he will want to put it in public, lazily corresponding with you or with anyone else.
In the general case, advice is to immediately chop off everything that is possible, and then think. Ideally, there should be physical access to cut off the Internet. Although, in theory, a malicious script could be so smart that its autonomous actions would be more dangerous than when controlled by a hacker remotely, such a script is difficult and expensive to make, so it is rare.

F
FanatPHP, 2019-07-11
@FanatPHP

Some strange question, more like paranoia.
This is not an indicator of the popularity of the resource among hackers, but a routine. Stupid kids from all over the world run fan scans, this stuff is full in the logs of any site.
This is the weirdest part. The walk is already flooded, and the hacker is sitting and waiting for you to ask a question on the toaster?

P
prostoprofan, 2019-08-02
@prostoprofan

Probably the issue here is not Nginx, apache or something else. And the fact that the person on the backend did not have a check for the file type extension, this led to the fact that the user was able to upload the file and download everything that gave him (by access rights).
They protect themselves from this at least by checking extensions, and renaming files can be done as a bonus (which, by the way, is also important). Then in this case the user will be able to load only allowed formats. If you need a solution, then the github is full of links to such libraries, which already have extension filtering (if you don’t want to write the code yourself)

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question