Chiloh

Chiloh Wei

一个尝试理解世界,理解自己的人
jike
twitter
HomeArchivesAbout

Remember the blog being maliciously reverse-proxied

#技术140
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The author of the blog post discovered that their blog was being maliciously reverse-proxied. They initially suspected it was just content being copied, but later realized that the links were identical to their own website. They sought advice from GPT4 and implemented strategies to address the issue, including adding code to their Nginx configuration file and renaming common files. They also considered migrating to a new server for added security. The author emphasizes the importance of server security and recommends a script for routine security measures.

As someone with a mediocre level of technical expertise, I encountered the situation of my blog being maliciously parsed and reverse proxied for the first time. I will record the process of discovery and the methods used to handle it.

Discovery of Malicious Reverse Proxy#

Actually, when I was searching on Google before, I saw that the website 01868.com had some of the content I posted on my blog. At first, I didn't pay much attention to it and suspected it might be reposted content. Then, recently, while using GPT4 to learn Python web scraping, I accidentally discovered that when crawling my own website, the links were exactly the same except for the main domain.

20230319122747-2023-03-19

So I consulted GPT4 for advice, and the reply was as follows:

20230319122917-2023-03-19

I roughly had a strategy and direction.

Starting to Address the Issue#

First, I checked the logs on my server to see if there were any malicious code or intrusion records, but I didn't find any. Therefore, I basically determined that the other party had pointed their domain name to my server's IP address. The final solution is as follows:

  1. Add the following code to the Nginx configuration file:
## Only allow GET and HEAD request methods
if ($request_method !~ ^(GET|HEAD)$ ) {
    return 444;
}
        
 # Deny illegal Host headers
if ($host !~ ^(chiloh\.cn|www\.chiloh\.cn)$ ) {
     return 444;
}

  1. Use lnmp restart nginx to restart the Nginx service.

  2. In the /home/wwwroot directory, use the following command to rename the common phpmyadmin and index.html files:

mv phpmyadmin [new database backend name]
mv index.html [new homepage file name]
  1. Finally, when accessing the malicious domain 01868 again, I found that I couldn't open any files on my server anymore.

20230319124420-2023-03-19

  1. Just in case, I actually prepared other security measures. The worst-case scenario is to migrate the service to a new server, not using lnmp for deployment, but using Docker, which I recently learned, for deployment.

Some Digressions#

I have always attached great importance to server security. I always do routine tasks like changing and allowing ports, including disabling root login and setting up a new user. Here, I also recommend a script: xiaoyunjie/Shell_Script, which is quite convenient to use.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.