[Baota Official Announcement] Announcement on rumored Baota Panel or Nginx abnormalities

Source:Baotaofficial forum

At present, some users reported that they were being hanged. Our company immediately organized a technical team to follow up and investigate. After 2 days of emergency investigation, no security loopholes in Nginx and panels were found, and no large-scale cases of being hanged were found. After analysis, the main behavior of this Trojan is to tamper with the Nginx main program to tamper with the website's response content. At present, we have received a total of 10 user feedback that websites have been hacked, all of which are overseas servers. We continue to make every effort to follow up and assist users in checking the situation of Nginx's hacking until the results are traced back. If you have any situation where Nginx has been hanged, please contact us and we will handle it for free.

Explanation on the Internet misinformation that the nginxBak file is a Trojan：

The nginxBak file is a copy of the nginxBak file when updating nginx on the panel, which will automatically back up a copy of the nginxBak file to prevent the update from being unable to recover after an exception occurs. For example, the previous nginx version was 1.22.0. If you click update on the panel and update to 1.22.1, a copy of the main program file of 1.22.0 will be backed up as nginxBak. At the same time, if the file sizes are inconsistent, it is due to different installation methods. The installation size of extremely fast installation packages is generally 5M. The size of the compilation method installation is about 10M or more, and the update is a compilation method update. The above nginxBak is not a hanging horse document.

The following are the current known characteristics of Trojans:
Obvious phenomenon: Visiting your own website jumps to other illegal websites
If the above phenomenon occurs, check whether it matches the following characteristics
1. Use traceless mode to access the js file of the target website. The content contains: _0xd4d9 or_0x2551 keywords
2. The panel log and system log have been cleared
3./www/server/nginx/sbin/nginx is replaced, or there is a/www/server/nginx/conf/btwaf/config file
4. There is a file/www/server/panel/data/nginx_md5.pl installed in the * period, which can be compared with the existing file to confirm whether it has been modified (the nginx_md5.pl file is used by us to record the md5 value when we installed nginx last time. If your website is abnormal, you can open this file to compare it with the current/www/server/nginx/sbin/nginx file md5)

Not sure if it fits? The following command can be checked by yourself. If the command execution has output content indicating that the server is abnormal, please contact the official.

curl -sSO http://download.bt.cn/tools/w_check.py && btpython w_check.py && rm -rf w_check.py

In addition, for users who are using normally without abnormal problems, we give reinforcement suggestions. If you are worried about the risk of the panel, you can log in to the terminal and execute the bt stop command to stop the panel service (the command to open the service is bt restart). Stopping the panel service will not affect the normal operation of your website.

Secondly, the following measures can be taken in the pagoda panel to strengthen the website, panel, and server
1. Upgrade the panel to the latest version. It is already the latest version. Repair the panel on the home page and enable BasicAuth certification.
2. Upgrade nginx to the latest sub-version of the current main version number. For example, upgrade from 1.22.0 to 1.22.1. It is already the latest version. Please uninstall and reinstall it.
3. If the panel or nginx cannot be upgraded temporarily due to production needs, turn on BasicAuth certification and set the authorization IP with conditions
5. The [Enterprise Version Tamper-Refactor Version] plug-in can effectively prevent websites from being tampered with. It is recommended to open and set root users to prohibit modifying files (release them when needed to use them). In addition, lock the nginx key execution directory (/www/server/nginx/sbin)
6. The [Critical Directory Reinforcement] function in the [Baota System Reinforcement] plug-in can lock the nginx critical execution directory (/www/server/nginx/sbin). This directory will not have any modifications during normal use. Other modifications other than reloading can be regarded as tampering, so lock it.