Other


Engintron and mirrors

This is pretty much the same thing as what I did in a previous post, but with Engintron vs NGINX CP.  I had to do a lot of server updates to get PHP7 running, and the process broke NGINX CP, so I had to switch to Engintron.  NGINX by itself is much more efficient than Apache, and thus far has been plenty to keep the server running even when traffic spikes.  But for special occasions I do like to have a back-up plan in case the system gets overloaded so I have a mirror set and ready to go.

To first install Engintron you can follow these instructions:

  1. cd /
  2. rm -f engintron.sh
  3. wget –no-check-certificate https://raw.githubusercontent.com/engintron/engintron/master/engintron.sh
  4. bash engintron.sh install

One thing I found out is caching is not on for dynamic pages by default, in order to turn that on go to the Enigtron interface from WHM, then click on “Edit default.conf” find this code:

1
2
 set $CACHE_BYPASS_FOR_DYNAMIC 1;
 set $CACHE_BYPASS_FOR_STATIC 0;

and set it to:

1
2
 set $CACHE_BYPASS_FOR_DYNAMIC 0;
 set $CACHE_BYPASS_FOR_STATIC 0;

“bypass_for_dynamic” will essentially turn off caching for dynamic pages, if your dynamic pages aren’t being updated very often it’s best to have caching on.  If you have a specific page that cannot by cached you can turn the bypass back on using something like this:

1
2
3
 if ($SITE_URI ~* "yourdomain.com/url_to_not_cache") {
    set $CACHE_BYPASS_FOR_DYNAMIC 1;
 }

Like previously I’m using  the split clients module to spread out traffic to a mirror.  The logic here is a bit more tricky then in NGINX CP and I only have one mirror, so the $mirror variable is just determining whether or not I’ll be redirecting that user.  The code looks essentially like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
split_clients "${remote_addr}-{$query_string}" $mirror {
   5% "y";
   * "n";
}
 
server {
 
   if ($SITE_URI ~* "domain.com") {
      set $mirror "${mirror}maindomain";
   }
   if ($http_referer = "") {
      set $mirror "n";
   }
   if ($mirror = "ymaindomain") {
      return 302 "http://mirror.yourdomain.com/";
   }
 
}

So here the split_clients will set the $mirror variable to “y” 5% of the time.  Then, if the domain is “domain.com” it will set the $mirror variable to either “ymaindomain” or “nmaindomain” and the http_referer is just stopping all direct traffic from being redirected to the mirror.  The reason I’m changing the variable is so I don’t end up mirroring subdomains, and I could use that to have different mirrors for different subdomains or specific pages.

Permalink » No comments

How to clean up a File Inclusion attack

I recently helped out a friend clean up an infection from their website.  A hacker took advantage of some outdated plugins to sneak in some malicious code to their website.  Following these steps I was able to find all the infected files, fix the vulnerability, and block the attackers IP.

Find infected files

Hop on the shell, and run this script to review all recently added files:

1
find ~/websitedirectory/ -name "*.php" -type f -ctime -30  | less

That will list all php files added to the server in the past 30 days.

Also, if you have webalizer or awstats available through your host, go through the logs and search for all files ending in php, any core files or files with random strings for names should be reviewed.

Open one of the infected files, it may be including another file they slipped into your account so track that down and delete it.  Also, try to find something particular in the code so you can use it as another method to track down any infected files.  In the shell this code with search the contents of all php files for SOMETHING:

1
find ~/websitedirectory/ -name "*.php" -exec grep -l "SOMETHING" {} \;

Make a list of all the locations of backdoor files that the hacker created, we’ll be using those later.

Clean the infection

If possible, delete the entire website and upload from an earlier version before the attack.  If you can’t delete everything, delete and re-upload as many folders as you can.  And for any folder you can’t delete, take whatever steps you need to fix the infected files, this will vary based on the malicious code.

Prevent further infection

Update all your software and plugins to the latest version, if you’re running something out of date that’s likely where they got in. Also, make sure your files all have the proper permissions, these lines will set the proper CHMOD for all files and folders:

1
2
find ~/websitedirectory -type f ! -perm 644 -exec chmod 644 {} \;
find ~/websitedirectory -type d ! -perm 755 -exec chmod 755 {} \;

Reset all FTP and CMS account passwords.

And, as an added bonus, use that list of backdoor files to record the IP of the attackers.  If you were able to get correct IP addresses from webalizer and awstats then you can simply block those.  If you’re running cpanel you can block IPs in Security > IP Deny Manager.  If they didn’t record the correct IPs or you don’t have those services, you can use that list of backdoor files to capture the hackers IP.  Replace the code in those files with something like this:

1
2
3
<?php
$line = date('Y-m-d H:i:s'). " - $_SERVER[HTTP_X_FORWARDED_FOR] - $_SERVER[REMOTE_ADDR] - $_SERVER[SCRIPT_FILENAME]";
file_put_contents('/home/websitedirectory/hackers.log', $line . PHP_EOL, FILE_APPEND);

That will record the IP of anyone who visits those files in a hackers.log file so you can block them and stop them from fishing around in the future.

Hopefully, that’ll do it!

It may not work in all infections, but it did the trick in this case. You’ll want to replace ~/websitedirectory and /home/websitedirectory/hackers.log with URLs that are relevant to your web server.  Good luck!

Permalink » No comments

Fixing subdomain folders with wildcard cert

This is something I’ve had to do twice now, and it’s not all that hard, but I keep forgetting.  The specific problem is when you have a wildcard security certificate for your domain, but your subdomain just points to the same folder as your primary domain – even though it works correctly when you access it’s insecure version.

I’m sure there are other causes and fixes for this, but I find what I need to do is:

  1. Log into WHM
  2. Search “Install an SSL Certificate on a Domain”
  3. Then hit the “Browser certificates”
  4. Find the correct wildcard certificate and click the “user certificate” button
  5. Under “domain”  change “*.yourdomain.com” to “yoursubdomain.yourdomain.com”
  6. Then hit the install button

And that should be all you need to do!  You can just do this with as many sub-domains as you need.  If you want to check what certificates you have installed, you can search for “Manage SSL Hosts” in WHM and it will tell you there.

Permalink » No comments

How to convert a VirtulBox VM to a bootable drive

This is quite easy so I was surprised that I couldn’t find a walk-through anywhere…so here’s one :)  This is specifically for a VM of Ubuntu, so it’s possible there may be other hurdles in place for different operating systems.

Step 1

Create a VM normally in VirtualBox (or use an existing one), install the operating system, and add any programs or files you want to have readily available on the bootable disk.

Step 2

This is the tricky part, you can use Virtual Box to convert a vdi to an iso, but you have to do it from the terminal.  On my machine it wouldn’t work at all in windows default terminal, but I have Cygwin installed, and was able to use that.  You first need to cd into the directory where Virtual Box is installed, and run the following command.  The folder structure is specific to my machine and will most likely need to be changed on yours.

1
"/cygdrive/p/Programs/VirtualBox/VboxManage.exe" clonehd 'F:/Documents/Virtualbox/Ubuntu_2017/Ubuntu 2017.vdi' 'F:/Documents/Virtualbox/Ubuntu_2017.iso' --format RAW

More simply you need to run something like this:

1
VboxManage.exe clonehd 'vdi_location.vdi' 'where_generated_iso_will_be_location.iso' --format RAW

Step 3

Use rufus to install the ISO as a bootable image on your USB drive

And that’s about all you need to do!  Then you can take a carbon copy of your VM with you wherever you go :)  Great for travelling, which was my need.

How to clone a specific snapshot

Basically you need to switch the VDI location with the UUID of the specific snapshot you want, to get the UUID go to:

File > Virtual Media Manager

Under Hard disks find the VM you want and it will have each snapshot listed under it. Copy and paste the UUID field from the snapshot you want and switch to use this command in Step 2:

1
"/cygdrive/p/Programs/VirtualBox/VboxManage.exe" clonehd UUDI 'F:/Documents/Virtualbox/Ubuntu_2017.iso' --format RAW

More simply you need to run something like this:

1
VboxManage.exe clonehd UUDID 'where_generated_iso_will_be_location.iso' --format RAW

Permalink » No comments

nodejs with cygwin

I keep having to redo this, so I’m copying down the trick from this article here, so I can find in the future.  To get NPM and NodeJS to work in cygwin on windows, you just have the alias them using these commands in your .bash_profile:

1
2
alias npm="/cygdrive/p/Programs/nodejs/npm.cmd"
alias node="/cygdrive/p/Programs/nodejs/node.exe"

Permalink » No comments