Hello,

I am using nginx for one year.

Server info :
2 x 8 core - 16GB (one for web server and other for mysql)
OS : linux RH 5
Nginx version : 0.8.x
web application : vbulletin 3.8.4 PL1

I have experienced some security issues in last month. My server was
under attack with 300Mbit. I don’t know what is type of attack. But when
I ask my service provider to add my server behind cisco guard, firewall
could handle yhese attacks.

By the way my server located in softlayer. So, they give this firewall
only limited time (only 24 hours) adn thenyou have to ask again to add
server behind firewall…

At these day, somebody (one of my forum member) add some files to my
server as attachment. I saw that this files contain virusus. I think
these files botnet clients. I deleted this forum messages and
attachment. (I think some of my other members download this files. )

But at that time my server is up with the help of cisco firewall.
And I began to receive HACKING / MALICIOUS ACTIVITY complaint mails from
diffirent locations and they claim that my IP address is attack their
server.

below are some log lines that they sent :

#Nov 3 02:00:24 2009 … Nov 3 02:33:14 2009

Scan from xxx.xxx.xxx.xxx affecting at least

65 addresses targeting TCP:1024, TCP:3072.

#Nov 3 01:00:50 2009 … Nov 3 01:59:00 2009

Scan from xxx.xxx.xxx.xxx affecting at least

104 addresses targeting TCP:1024, TCP:3072.

#Nov 3 00:23:25 2009 … Nov 3 00:59:55 2009

Scan from xxx.xxx.xxx.xxx affecting at least

100 addresses targeting TCP:1024, TCP:3072.

#Nov 2 23:00:15 2009 … Nov 2 23:59:58 2009

Scan from xxx.xxx.xxx.xxx affecting at least

54 addresses targeting TCP:1024, TCP:3072.

UIDL Date Source Destination Port Protocole Nombre ASN Pays
4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072
tcp 31 11897
4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024
tcp 31 11897
4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp
8 11897
4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072
tcp 31 11897
4aefcca000000000 2009-11-02 22:40:53 xxx.xxx.xxx.xxx u-bordeaux.fr 1024
tcp 31 11897
4aef69ee00000000 2009-11-02 22:29:11 xxx.xxx.xxx.xxx lmd.ens.fr 3072 tcp
8 11897

#Nov 20 06:00:59 2009 … Nov 20 06:59:51 2009

Scan from xxx.xxx.xxx.xxx affecting at least

58 addresses targeting TCP:1025, TCP:1057, TCP:1537, TCP:1569,

TCP:16897, TCP:16929, TCP:17409, TCP:17441, TCP:17921, TCP:17953,
TCP:18433, TCP:18465, TCP:18945, TCP:18977, TCP:19457, TCP:19489,
TCP:19969, TCP:2049, TCP:2081, TCP:2561, TCP:2593, TCP:3073, TCP:3105,
TCP:33, TCP:513, TCP:545.

#Nov 20 13:47:47 2009 … Nov 20 13:59:51 2009

Scan from xxx.xxx.xxx.xxx affecting at least

149 addresses targeting TCP:1, TCP:1025, TCP:1057, TCP:1537, TCP:1569,

TCP:16385, TCP:16417, TCP:16897, TCP:16929, TCP:17409, TCP:17921,
TCP:17953, TCP:18433, TCP:18465, TCP:18945, TCP:18977, TCP:19457,
TCP:19489, TCP:19969, TCP:20001, TCP:2049, TCP:2081, TCP:2561, TCP:3073,
TCP:3105, TCP:33, TCP:3585, TCP:3617, TCP:513, TCP:545.

Event Date Time, Destination IP, IP Protocol, Target Port, Issue
Description, Source Port, Event Count
EventRecord: 20 Nov 2009 11:12:36, 67.34.x.x, 6, 16385, Research Pending
, 80, 1
EventRecord: 20 Nov 2009 11:12:22, 156.99.x.x, 6, 2561, Research Pending
, 80, 1
EventRecord: 20 Nov 2009 11:09:26, 64.128.x.x, 6, 3617, Research Pending
, 80, 1
EventRecord: 20 Nov 2009 11:08:47, 83.170.x.x, 6, 16929, Research
Pending , 80, 1
EventRecord: 20 Nov 2009 11:07:47, 24.220.x.x, 6, 20001, Research
Pending , 80, 1
EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research
Pending , 80, 1
EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research
Pending , 80, 1
EventRecord: 20 Nov 2009 11:06:38, 156.99.x.x, 6, 3585, Research Pending
, 80, 1
EventRecord: 20 Nov 2009 11:06:12, 194.85.x.x, 6, 20001, Research
Pending , 80, 1
EventRecord: 20 Nov 2009 11:05:43, 194.85.x.x, 6, 16417, Research
Pending , 80, 1
EventRecord: 20 Nov 2009 11:05:36, 156.99.x.x, 6, 3617, Research Pending
, 80, 1
EventRecord: 20 Nov 2009 11:05:20, 64.128.x.x, 6, 19969, Research
Pending , 80, 1
EventRecord: 20 Nov 2009 11:03:37, 84.12.x.x, 6, 3105, Research Pending
, 80, 1
EventRecord: 20 Nov 2009 11:02:34, 84.12.x.x, 6, 16897, Research Pending
, 80, 1

33:42.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.68,
1537, sbg.fmew.com -
47:31.9 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.71,
2561, mac.fmew.com -
49:40.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.5,
1, fmewservices.fmew.com -
51:56.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27,
2593 -
53:23.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.37,
18433, jma.fmew.com -
54:37.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.42,
17953, mjt.fmew.com -
55:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.46,
16385, emp.fmew.com -
56:51.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.86,
16417 -
57:59.0 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.94,
18977 -
59:21.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.21,
1057 -
03:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.104,
2049 -
04:56.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.36,
1057 -
06:13.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.79,
16897 -
07:19.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.33,
1025 -
10:27.5 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.116,
3585 -
11:34.2 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.126,
17953 -
12:34.7 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.16,
16929 -
13:50.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.99,
19457 -
14:57.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.110,
545 -
16:15.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.13,
20001 -
17:17.1 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.27,
18465 -
20:41.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.77,
17409 -
21:52.4 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.81,
17953 -
24:24.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.92,
17441 -
29:41.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.44,
20001 -

The following is a list of types of activity that may appear in this
report:
BEAGLE BEAGLE3 BLASTER BOTNETS BOTS BRUTEFORCE
DAMEWARE DEFACEMENT DIPNET DNSBOTS MALWAREURL MYDOOM
NACHI PHATBOT PHISHING ROUTERS SCAN445 SCANNERS
SINIT SLAMMER SPAM SPYBOT TOXBOT

etc. …

Like this tens of mail sent to me and softlayer abuse department.

And softlayer ask me to stop this activity or stop my server.
And I check my server with know security, system auditing tool and
rootkit scanners. Rootkit Hunter, lynsis and chkrootkit.

nothing found.

Also third party management company audit my server and give me a report
that my server is clean and make hardening on myserver. But they advise
me switch back to apache (because they no experience with nginx)

After that I receive complaint mails again.

So, 3 days ago made a os reload, setup a clean system and I switched
back to apache and complaint mails stop for 3 days.

But Apache couldn’t handle request. my server load is very high over
100, sometimes over 300…
I lose my google indexes also my members complaint about unreachable
site.

I want to switch back to nginx. But Softlayer warn me about if they
receive this kind od abuse mails cut my server activities.

Have you ever been experiencing this kinf of situation ? What do you
advise me ? (sorry for my english)

Best regards

Posted at Nginx Forum:

Might have more luck asking on webhostingtalk.com for security stuff.

Posted at Nginx Forum:

I use vbulletin.
You are right, may be one of the addon of vbulletin has a security hole
etc.

Now, I have installed nginx again and I use apache for dynamic pages.
and wait a lot…

Thanks very much your responses.

Posted at Nginx Forum:

Using apache for anything if you don’t need to if nginx will do it for
you is a waste of resources and complicates your setup.

I only use apache for mod_dav_svn, and cgi. Of which I am trying to
minimize that impact by getting mailman ported to php

Sent from my iPhone

-------- Original-Nachricht --------

Datum: Thu, 3 Dec 2009 12:37:17 -0800
Von: Michael S. [email protected]
An: “[email protected]” [email protected]
CC: “[email protected]” [email protected]
Betreff: Re: Nginx securiy problem

Using apache for anything if you don’t need to if nginx will do it for
you is a waste of resources and complicates your setup.

I only use apache for mod_dav_svn, and cgi. Of which I am trying to
minimize that impact by getting mailman ported to php

What? Because of mailman you run Apache? Well… I do run mailman 2.1.12
here on top of nginx 0.8.29 without any issues. No Apache involved in
any way. I don’t see any reason to use Apache for mailman.

---

nginx mailing list
[email protected]
nginx Info Page

–
Sarah Kreuz, die DSDS-Siegerin der Herzen, mit ihrem eindrucksvollen
Debütalbum “One Moment in Time”. Aktuelle Nachrichten aus Politik, Wirtschaft & Panorama | GMX

-------- Original-Nachricht --------

Datum: Thu, 3 Dec 2009 04:22:22 -0500
Von: “egerci” [email protected]
An: [email protected]
Betreff: Nginx securiy problem

I have experienced some security issues in last month. My server was under
files botnet clients. I deleted this forum messages and attachment. (I think
#Nov 3 02:00:24 2009 … Nov 3 02:33:14 2009

Scan from xxx.xxx.xxx.xxx affecting at least

4aefcca000000000 2009-11-02 22:52:03 xxx.xxx.xxx.xxx u-bordeaux.fr 3072
11897

Scan from xxx.xxx.xxx.xxx affecting at least

80, 1
EventRecord: 20 Nov 2009 11:07:40, 173.15.x.x, 6, 19969, Research Pending
, 80, 1
49:40.6 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.5, 1,
16417 -
07:19.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.33,
545 -
29:41.8 TCP checksum error - xxx.xxx.xxx.xxx, 500, WAN - 67.151.154.44,
etc. …
Also third party management company audit my server and give me a report
I lose my google indexes also my members complaint about unreachable site.

I want to switch back to nginx. But Softlayer warn me about if they
receive this kind od abuse mails cut my server activities.

Have you ever been experiencing this kinf of situation ? What do you
advise me ? (sorry for my english)

Fix your application (vbulletin). If you can’t do that then go back to
your Apache setup and use something like mod_security
(http://www.modsecurity.org/) with it or any other WAF. Harden your PHP
since it seems that all your attacks where introduced by something
tunneled over vbulletin (which is PHP) into your system and then
executed/triggered from/by within PHP. I would say that one of your
users has uploaded some kind of scanning toolkit on your server and then
misusing your server to scan other systems. Don’t allow the user that is
running PHP to execute tools that a normal PHP setup does not need. Nail
down your file system (for example: mount your temporary directories
with “noexec” and do the same for your upload directory, etc). Use
something like SELinux / RBAC / grsecurity / etc to prevent your PHP
interpreter to go wild. Add an IDS / NIDS / PIDS / etc and act as soon
as possible if something strange is going on. Use something like
Fail2Ban to parse logs and act on significant issues. Use something like
PSAD to prevent idiots scanning your system. Use a firewall / IPtables /
etc to prevent your system making strange connections to the outside
world. If you are not familiar with IPtables then use something like
Shorewall and install it on your system and don’t just check inbound but
do check outbound as well. Close every not needed port or application on
your system. Double secure your logins from external (don’t allow root
to log into ssh, use AllowGroups/AllowUsers to limit who can log in, use
unprivileged user to log into ssh and su to root, etc). If you are still
staying on Apache then use something like mod_evasive to prevent one
single system from outside to bring your Apache down. If you are still
staying on Apache then use something recent that is not such a big
security issue as the older Apache versions (look up the therm
“Slowloris” if you need a good example what I mean). etc, etc, etc…
Just do the normal things every good sysadmin/hoster would do. I am
pretty sure that nginx is not your problem. But I understand if you say
that with Apache you don’t have those issues. It’s normal human behavior
to think in pictures (I have problems with my page. Hmmm… I use
nginx. Hmmm. Format system, install fresh OS, install Apache. Hmm… No
problem so far. Okay! I got it! It’s nginx.) instead of taking the time
to understand what the problem is and THINK on the problem and solution.
But hey! It’s your install. If you think that it is nginx then it MUST
be nginx. I would not be surprised if in some days you would come back
here and tell us the same story has happened with Apache as HTTPD.

Oh! And one last advice: Do not trust anybody! If a security company is
telling you that YOUR system is secure then fine and dandy but it’s you
that need to guarantee and understand the security of your system. Not
any one else. You need to UNDERSTAND what is going on with your system
and YOU need to KNOW that and why your system is secure. Some one
telling you that is secure is not going to take away that responsibility
from you. A drug dealer will always ensure that what you buy from him is
100% risk free and and and… but it’s you that is going to consume that
stuff and it’s you that is risking to die. Not him. So don’t just
blindly trust. Turn on the gears in your head and THINK and ACT but
don’t just follow blindly. You are not a sheep!

Best regards

Posted at Nginx Forum:
Nginx securiy problem

---

nginx mailing list
[email protected]
nginx Info Page

–
Sarah Kreuz, die DSDS-Siegerin der Herzen, mit ihrem eindrucksvollen
Debütalbum “One Moment in Time”. Aktuelle Nachrichten aus Politik, Wirtschaft & Panorama | GMX

On Thu, Dec 3, 2009 at 3:03 PM, Steve [email protected] wrote:

What? Because of mailman you run Apache? Well… I do run mailman 2.1.12 here on top of nginx 0.8.29 without any issues. No Apache involved in any way. I don’t see any reason to use Apache for mailman.

yeah - CGI-based stuff i run apache behind nginx for those couple
things. i always have nginx on the frontend.

how do you run mailman directly?

Sergej Kandyla Wrote:

Nginx is just fast and simple web server, created
with security in mind.

A server management company hardening php and system files.

Yes as I told before my server was behind cisco guard firewall and I use
CSF firewall

No I use redhat linux 5

I disabled apache completely and for php I use php-fpm

Posted at Nginx Forum:

:))))
No , after switched back to apache I don’t receive any complaint

You are right, my server is offen unreachable! Maybe because of this
attackers also couldn’t reach the server

So nobody faced this kind of issue and I have to back nginx.

Posted at Nginx Forum:

Steve Wrote:

misusing your server to scan other systems. Don’t
significant issues. Use something like PSAD to
log in, use unprivileged user to log into ssh and
But I understand if you say that with Apache you
and tell us the same story has happened with
Apache as HTTPD.
Thanks very much for you advise.
I have switched back to last stable version nginx 0.7.64.
Do you suggest me to use 0.8.** version?

I am not the system specialist. I will do your advises step bu step.
But fisrtly I have to check them because I am not sure is it possible to
install these applicaiton for my side.

Thanks you again for your suggestion.

from him is 100% risk free and and and… but it’s
you that is going to consume that stuff and it’s
you that is risking to die. Not him. So don’t just
blindly trust. Turn on the gears in your head and
THINK and ACT but don’t just follow blindly. You
are not a sheep!

Sure I am not
Softlayer has forced me to apply one of the 6 servermanagment company
these are trusted and certified from Sofltlayer, or close my network.
They said me “If they report that your server is clean it is ok” So I
had have to go one of them.

Nevermind, I close my relation with Server Managemnt Comp. and reinstall
nginx. And I look ahead

Best regards

Sarah Kreuz, die DSDS-Siegerin der Herzen, mit
ihrem eindrucksvollen
Debütalbum “One Moment in Time”.
Aktuelle Nachrichten aus Politik, Wirtschaft & Panorama | GMX

---

nginx mailing list
[email protected]
nginx Info Page

Posted at Nginx Forum:

yes
Because of this I switched back to apache.
Now I am unhappy with apache because it can’t handle requests.

Posted at Nginx Forum:

mike Wrote:

seem to be equipped to, or they will shut him off.
It’s not worth the
overhead they have to take on to have people who
don’t know how to
manage their own servers.

Yes It happened as you said. They ask me to hire that they trust.

And then third party company make a report about my server : it is
clean.

And in their report ; they hardenned and optimized my apache and mysql
server???
In that server no apache and no my sql server.
I had already used tools like rootkit tools, csf firewall etc.
They re-install this tools and attach these tools’ result to their
report. ( I have used last version but they didn’t)

I had already done and make these steps.

I have used Softlayer for years and I am also happy with them.

The problem is giving trust/certificate to company that behave or take
action like me!
This show SL’s understanding of Security.

But it is not the topic…

As you see that I am still working with softlayer.But not with SMC.

FYI: I run 0.8.x. I run the latest possible
version Igor puts out
whenever I have time to update.

As someone once told me, “Igor’s betas are more
stable than most
people’s stable versions” and I would have to
agree.

Thanks for your comment. Up to now, I have used last beta versions. I
heard something like that sentence before .
But this time I decide to use stable version. Maybe later I will
upgrade…

---

nginx mailing list
[email protected]
nginx Info Page

Jim O. Wrote:

I would agree. Softlayer is an excellent host
which I have used on and
off over the years for different needs. I think
this is their reaction
to a customer for whom they cannot provide hand
holding services.

Yes, You are right. SL is excellent host. Because of this I am still
custommer of SL.
But when I ask to them about my attack. They just replied me that it is
not their job please hire third party management company.

As I said above it is not the topic

Thank you all

Posted at Nginx Forum:

-------- Original-Nachricht --------

Datum: Sat, 5 Dec 2009 19:30:27 -0500
Von: “egerci” [email protected]
An: [email protected]
Betreff: Re: Nginx securiy problem

telling him that he
And then third party company make a report about my server : it is clean.
I have used Softlayer for years and I am also happy with them.
version Igor puts out

Since your attack vector does not seem to be the HTTPD I would suggest
that you first start to harden your PHP installation. You said that an
external company has hardened your PHP installation. Could you post your
PHP configuration here? Or post a link to it?

The basic hardening stuff from PHP is not that hard. A small guide
scratching the most important things can be found here:
http://www.madirish.net/?article=229

A well configured PHP and additionally something like Suhosin
(Suhosin Archives - Hardened-PHP) could be a good starting point.
Have a look at the configuration options →
Configuration - Hardened-PHP ← and install it
if you can. Enable for some days the simulation mode
“suhosin.simulation=On” and look closely at the logs to identify
potential problems and solve them before activating Suhoshin. Activate
at least the basic stuff (your distro should already distribute a pre
made configuration that you should use):
suhosin.simulation=On
suhosin.session.encrypt=Off
suhosin.log.syslog=511
suhosin.executor.include.max_traversal=4
suhosin.executor.disable_eval=On
suhosin.executor.disable_emodifier=On
suhosin.mail.protect=2
suhosin.sql.bailout_on_error=On

For PHP you should disable some dangerous functions. Please look up the
documentation about each of them before disabling them. In your case I
would at least close down the following ones:
disable_functions = “exec, passthru, pclose, popen, readfile,
shell_exec, show_source, system, virtual”

If you are ultra paranoid then consider adding more of those functions
that are well known to be used in malicious ways (beside the one
mentioned already above)(and again here: please read in the
documentation what they do before you disable them):
apache_child_terminate
apache_setenv
define_syslog_variables
escapeshellarg
escapeshellcmd
eval
fp
fput
ftp_connect
ftp_exec
ftp_get
ftp_login
ftp_nb_fput
ftp_put
ftp_raw
ftp_rawlist
highlight_file
ini_alter
ini_restore
inject_code
mysql_pconnect
openlog
phpAds_XmlRpc
phpAds_remoteInfo
phpAds_xmlrpcDecode
phpAds_xmlrpcEncode
posix_getpwuid
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
posix_uname
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
syslog
xmlrpc_entity_decode

If you don’t need to include/read external files then close down that
functionality in PHP:
allow_url_fopen = Off
allow_url_include = Off

If you don’t need upload functions then disable it:
file_uploads = Off

If you need upload functions then at least put the temporary directory
for the upload into a partition that you have mounted with
“nodev,nosuid,noexec”:
upload_tmp_dir = /path/to/php/upload

I would as well limit the include path to be inside your web root:
open_basedir = /path/to/web/root

You probably use something like FCGI to run your PHP. Try chrooting your
PHP and/or try to run it with limited uid/gid.

Implementing at least a bunch of those options should already make it
much harder to exploit your setup. Read again: Harder! Not impossible!

this is their reaction
Thank you all

Posted at Nginx Forum:
Re: Nginx securiy problem

---

nginx mailing list
[email protected]
nginx Info Page

–
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter Aktuelle Nachrichten aus Politik, Wirtschaft & Panorama | GMX

On Sat, Dec 5, 2009 at 4:30 PM, egerci [email protected] wrote:

The problem is giving  trust/certificate to company that behave or take action like me!
This show SL’s understanding of Security.

who would you believe more:

a) your friend of 3 years
b) someone off the street

you’re the one who originally got exploited. why would they trust you
more than someone who they’ve certified/authorized to be a server
administration consultant?

forgive me if you already mentioned this, but is this a shared hosting
server (do you have multiple clients on it) or is it just yourself?

if it is yourself, i wouldn’t bother with all the locking down of php
using disable_functions and such.

i would examine the code for exploits. hire someone to do it for you.
you probably have a lot of holes, it’s very easy in php. one of my
clients back when i used to do virtual hosting kept getting exploited
over and over. one of them racked up a $2000 bandwidth bill because
the exploit downloaded an XDCC bot sending out pirated movies on IRC.
i was able to talk the provider down some and collect some money from
the kid but i never got it all back. i’m so glad i’m out of that game
now.

i am not sure that suhosin nor php’s safe mode or disable_functions
behavior would have fixed that either. i don’t think i had suhosin in
the mix back then, nowadays i run a suhosin patched php and the
suhosin module too. although i am not sure they help; they wind up
being so restrictive i have to set a bunch of high boundaries so
common things work properly.

egerci пишет:

So, 3 days ago made a os reload, setup a clean system and I switched back to apache and complaint mails stop for 3 days.

But Apache couldn’t handle request. my server load is very high over 100, sometimes over 300…
I lose my google indexes also my members complaint about unreachable site.

I want to switch back to nginx. But Softlayer warn me about if they receive this kind od abuse mails cut my server activities.

Have you ever been experiencing this kinf of situation ? What do you advise me ? (sorry for my english)

It’s not the nginx’s problem.
Do you have php security settings
like disable_functions, allow_url_fopen, open_basedir ?
Do you have the firewall on your server?
Do you use selinux ?
Also nginx + apache + mod_php + mod_security is enough good schema.

Nginx is just fast and simple web server, created with security in mind.

A server management company hardening php and system files.

After your server was already compromised.

Like Sergej said, this isn’t really nginx’s issue.

Best regards,
Piotr S. < [email protected] >

On Thu, 2009-12-03 at 12:31 -0500, egerci wrote:

yes
Because of this I switched back to apache.
Now I am unhappy with apache because it can’t handle requests.

So you now have the same security issues and poor performance. Is it
your hope to get hacked slower?

Cliff

On Thu, Dec 03, 2009 at 12:37:17PM -0800, Michael S. wrote:

Using apache for anything if you don’t need to if nginx will do it for
you is a waste of resources and complicates your setup.

I only use apache for mod_dav_svn, and cgi. Of which I am trying to
minimize that impact by getting mailman ported to php

CGI at mailman.nginx.org Mailing Lists is run by mini_httpd.

–
Igor S.
http://sysoev.ru/en/

On Thu, 2009-12-03 at 13:22 -0500, egerci wrote:

:))))
No , after switched back to apache I don’t receive any complaint

Actually my belief is after you reinstalled the server you didn’t
receive any complaints. That is, you removed whatever malware was
installed, but because you also switched to Apache at the same time, you
conflated the two variables. Reinstallation of the OS is almost
certainly what fixed your issue, not Apache.

Most likely your security concerns lie within whatever web application
you are serving.

Regards,
Cliff

Yah. I tried thttpd but it crashed on me randomly. Apache is stable.
Works good enough. And the machines I use it on have more than enough
resources.

It’d be nice if nginx could do cgi I have to support mailman and
bugzilla. Both seem archaic. One reason I am actually starting a php
mailman replacement since there are literally only 3-4 mail list
managers out there. None are simple to use or configure either. If
anyone wants to help contribute to this effort… Email me off list.
I’m hiring a coder to do it for me. Then I will open source it like
wordpress and such.

Sent from my iPhone