I really need help here 
my forum got hacked 3 times, and i detected the hacker use RFI(Remote
file inclusion) after i found an avatar image contain Phpshell code
inside it. and the weird thing is when i tried to use RFI on Apache it
will not run the phpshell,
You can see here:
http://www.ceriwis.org/rfi.php?hal=ass.jpg <------------ using
NGINX and phpshell executed
and
http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using
Apace and phpshell unable to executed
im using Nginx 0.8.53 and php-fpm
I really need solution to solve my problem guys. i want to stop the
image to get executed like Apache doesâŚ
Please give me solution. thanks
Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219523,219523#msg-219523
the image file is JPEG
you can see the image file here:
http://www.ceriwis.org/ass.jpg
Posted at Nginx Forum:
Check out this thread and see if it answers your question:
http://mailman.nginx.org/pipermail/nginx/2011-November/030503.html
Itâs not precisely the same, since you have rfi.php?hal=ass.jpg and not
rfi.php/ass.jpg, but it feels like the same bug, and youâre only a
rewrite rule away from having exactly the problem command line.
The short answer is to add this:
try_files $uri =404;
or this:
if (!-f $request_filename) { return 404; }
to your PHP configuration in the PHP fastcgi configuration block.
Tim
its not working man⌠i added the line you gave and i think you can
still access it
Posted at Nginx Forum:
This is my PHP configuration :
server {
listen 80;
server_name www.ceriwis.org;
#rewrite ^/(.*) watpedia permanent;
client_max_body_size 50M;
#access_log logs/host.access.log main;
location / {
root /home/ceriorg/public_html;
index index.php index.html;
location /crwscp {
auth_basic âAdministrator Loginâ;
auth_basic_user_file /home/htpasswd.txt;
}
location ~ ../..php {
return 403;
}
if ($http_user_agent ~* â^.(sharp).â) {
return 403;
}
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# pass the PHP scripts to FastCGI server listening on
127.0.0.1:9000
#
location ~ .php$ {
root public_html;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME
/home/ceriorg/public_html$fastcgi_script_name;
#fastcgi_intercept_errors on;
}
}
On Sat, 03 Dec 2011 01:36:10 -0500, âescavernâ [email protected]
wrote:
Try inserting the following to see if it helps:
location ~ \.php$ {
try_files $uri =404;
root public_html;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME
/home/ceriorg/public_html$fastcgi_script_name;
#fastcgi_intercept_errors on;
M.
On 12/2/2011 10:47 PM, escavern wrote:
its not working man⌠i added the line you gave and i think you can
still access it
Donât know, then, sorry. Maybe post your log and the php configuration
that youâre using? Someone else will likely need to help from this
point. My post was a shot in the dark because your issue looked so much
like the php fastcgi issue that I linked to.
Tim