Skip to content

Engintron and mirrors

This is pretty much the same thing as what I did in a previous post, but with Engintron vs NGINX CP.  I had to do a lot of server updates to get PHP7 running, and the process broke NGINX CP, so I had to switch to Engintron.  NGINX by itself is much more efficient than Apache, and thus far has been plenty to keep the server running even when traffic spikes.  But for special occasions I do like to have a back-up plan in case the system gets overloaded so I have a mirror set and ready to go.

To first install Engintron you can follow these instructions:

  1. cd /
  2. rm -f engintron.sh
  3. wget –no-check-certificate https://raw.githubusercontent.com/engintron/engintron/master/engintron.sh
  4. bash engintron.sh install

One thing I found out is caching is not on for dynamic pages by default, in order to turn that on go to the Enigtron interface from WHM, then click on “Edit default.conf” find this code:

1
2
 set $CACHE_BYPASS_FOR_DYNAMIC 1;
 set $CACHE_BYPASS_FOR_STATIC 0;

and set it to:

1
2
 set $CACHE_BYPASS_FOR_DYNAMIC 0;
 set $CACHE_BYPASS_FOR_STATIC 0;

“bypass_for_dynamic” will essentially turn off caching for dynamic pages, if your dynamic pages aren’t being updated very often it’s best to have caching on.  If you have a specific page that cannot by cached you can turn the bypass back on using something like this:

1
2
3
 if ($SITE_URI ~* "yourdomain.com/url_to_not_cache") {
    set $CACHE_BYPASS_FOR_DYNAMIC 1;
 }

Like previously I’m using  the split clients module to spread out traffic to a mirror.  The logic here is a bit more tricky then in NGINX CP and I only have one mirror, so the $mirror variable is just determining whether or not I’ll be redirecting that user.  The code looks essentially like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
split_clients "${remote_addr}-{$query_string}" $mirror {
   5% "y";
   * "n";
}
 
server {
 
   if ($SITE_URI ~* "domain.com") {
      set $mirror "${mirror}maindomain";
   }
   if ($http_referer = "") {
      set $mirror "n";
   }
   if ($mirror = "ymaindomain") {
      return 302 "http://mirror.yourdomain.com/";
   }
 
}

So here the split_clients will set the $mirror variable to “y” 5% of the time.  Then, if the domain is “domain.com” it will set the $mirror variable to either “ymaindomain” or “nmaindomain” and the http_referer is just stopping all direct traffic from being redirected to the mirror.  The reason I’m changing the variable is so I don’t end up mirroring subdomains, and I could use that to have different mirrors for different subdomains or specific pages.

How to Package cordova app

Just a simple step by step reference for packaging a cordova app:

  1. CD to the directory containing your app in the console
  2. export PATH=$PATH:”/cygdrive/P/Programs/Android/SDK/tools”
    export PATH=$PATH:”/cygdrive/P/Programs/Java/jdk1.8.0_121/bin”
    export PATH=$PATH:”/cygdrive/P/Programs/Android/SDK/build-tools/25.0.1″
    export ANDROID_HOME=/cygdrive/P/Programs/Android/SDK/
    export PATH=${PATH}:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools
    This is specific to my system, you may not need to do something like this
  3. cordova build –release android
    This will create platforms\android\build\outputs\apk\android-release-unsigned.apk
  4. CD and copy your keystore to platforms\android\build\outputs\apk
  5. jarsigner -verbose -sigalg SHA1withDSA -digestalg SHA1 -keystore your.keystore android-release-unsigned.apk keystorename
    sign it with your keystore, you may need to use a different signing method
  6. zipalign -v 4 android-release-unsigned.apk android-release-signed.apk

All done!

How to clean up a File Inclusion attack

I recently helped out a friend clean up an infection from their website.  A hacker took advantage of some outdated plugins to sneak in some malicious code to their website.  Following these steps I was able to find all the infected files, fix the vulnerability, and block the attackers IP.

Find infected files

Hop on the shell, and run this script to review all recently added files:

1
find ~/websitedirectory/ -name "*.php" -type f -ctime -30  | less

That will list all php files added to the server in the past 30 days.

Also, if you have webalizer or awstats available through your host, go through the logs and search for all files ending in php, any core files or files with random strings for names should be reviewed.

Open one of the infected files, it may be including another file they slipped into your account so track that down and delete it.  Also, try to find something particular in the code so you can use it as another method to track down any infected files.  In the shell this code with search the contents of all php files for SOMETHING:

1
find ~/websitedirectory/ -name "*.php" -exec grep -l "SOMETHING" {} \;

Make a list of all the locations of backdoor files that the hacker created, we’ll be using those later.

Clean the infection

If possible, delete the entire website and upload from an earlier version before the attack.  If you can’t delete everything, delete and re-upload as many folders as you can.  And for any folder you can’t delete, take whatever steps you need to fix the infected files, this will vary based on the malicious code.

Prevent further infection

Update all your software and plugins to the latest version, if you’re running something out of date that’s likely where they got in. Also, make sure your files all have the proper permissions, these lines will set the proper CHMOD for all files and folders:

1
2
find ~/websitedirectory -type f ! -perm 644 -exec chmod 644 {} \;
find ~/websitedirectory -type d ! -perm 755 -exec chmod 755 {} \;

Reset all FTP and CMS account passwords.

And, as an added bonus, use that list of backdoor files to record the IP of the attackers.  If you were able to get correct IP addresses from webalizer and awstats then you can simply block those.  If you’re running cpanel you can block IPs in Security > IP Deny Manager.  If they didn’t record the correct IPs or you don’t have those services, you can use that list of backdoor files to capture the hackers IP.  Replace the code in those files with something like this:

1
2
3
<?php
$line = date('Y-m-d H:i:s'). " - $_SERVER[HTTP_X_FORWARDED_FOR] - $_SERVER[REMOTE_ADDR] - $_SERVER[SCRIPT_FILENAME]";
file_put_contents('/home/websitedirectory/hackers.log', $line . PHP_EOL, FILE_APPEND);

That will record the IP of anyone who visits those files in a hackers.log file so you can block them and stop them from fishing around in the future.

Hopefully, that’ll do it!

It may not work in all infections, but it did the trick in this case. You’ll want to replace ~/websitedirectory and /home/websitedirectory/hackers.log with URLs that are relevant to your web server.  Good luck!

Send Rails Email from console

I’ve needed to do this forever, and finally found a stack exchange with a nice quick way to send mail from rails console, that works with the version of rails I’m on.

1
2
3
4
5
6
7
8
9
10
11
ActionMailer::Base.delivery_method = :smtp 
ActionMailer::Base.smtp_settings = {
  address: 'smtp.gmail.com', 
  port: 587, 
  domain: 'gmail.com',
  authentication: 'plain', 
  enable_starttls_auto: true, 
  user_name: 'you@gmail.com',
  password: 'yourpassword'
}
MailNotifier.activation_instructions(@user).deliver