Help! Nginx Vulnerable Remote file inclusion

I really need help here

my forum got hacked 3 times, and i detected the hacker use RFI(Remote
file inclusion) after i found an avatar image contain Phpshell code
inside it. and the weird thing is when i tried to use RFI on Apache it
will not run the phpshell,

You can see here:

http://www.ceriwis.org/rfi.php?hal=ass.jpg <------------ using
NGINX and phpshell executed

and

http://ceri.ws/rfi.php?hal=ass.jpg <---------------- using
Apace and phpshell unable to executed

im using Nginx 0.8.53 and php-fpm

I really need solution to solve my problem guys. i want to stop the
image to get executed like Apache does…
Please give me solution. thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219523,219523#msg-219523

the image file is JPEG
you can see the image file here:

http://www.ceriwis.org/ass.jpg

http://ceri.ws/ass.jpg

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219523,219524#msg-219524

Check out this thread and see if it answers your question:

http://mailman.nginx.org/pipermail/nginx/2011-November/030503.html

It’s not precisely the same, since you have rfi.php?hal=ass.jpg and not
rfi.php/ass.jpg, but it feels like the same bug, and you’re only a
rewrite rule away from having exactly the problem command line.

The short answer is to add this:

 try_files $uri =404;

or this:

if (!-f $request_filename) { return 404; }

to your PHP configuration in the PHP fastcgi configuration block.

Tim

its not working man… i added the line you gave and i think you can
still access it

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,219523,219526#msg-219526

This is my PHP configuration :

server {
    listen       80;
    server_name  www.ceriwis.org;

#rewrite ^/(.*) http://ceriwis.us/$1 permanent;
client_max_body_size 50M;

    #access_log  logs/host.access.log  main;

    location / {
        root   /home/ceriorg/public_html;
       index                           index.php index.html;

location /crwscp {
auth_basic “Administrator Login”;
auth_basic_user_file /home/htpasswd.txt;
}

location ~ …/..php {
return 403;
}

if ($http_user_agent ~* “^.(sharp).”) {
return 403;
}

    }


    error_page  404              /404.html;
    location = /404.html {
        root   /usr/share/nginx/html;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }


    # pass the PHP scripts to FastCGI server listening on

127.0.0.1:9000
#
location ~ .php$ {
root public_html;
include fastcgi_params;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on;
fastcgi_param SCRIPT_FILENAME
/home/ceriorg/public_html$fastcgi_script_name;
#fastcgi_intercept_errors on;

    }


}

On Sat, 03 Dec 2011 01:36:10 -0500, “escavern” [email protected]
wrote:

Try inserting the following to see if it helps:

    location ~ \.php$ {

             try_files $uri =404;

        root           public_html;
        include        fastcgi_params;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param HTTPS on;
        fastcgi_param  SCRIPT_FILENAME

/home/ceriorg/public_html$fastcgi_script_name;
#fastcgi_intercept_errors on;

M.

On 12/2/2011 10:47 PM, escavern wrote:

its not working man… i added the line you gave and i think you can
still access it

Don’t know, then, sorry. Maybe post your log and the php configuration
that you’re using? Someone else will likely need to help from this
point. My post was a shot in the dark because your issue looked so much
like the php fastcgi issue that I linked to.

Tim