Pagoda BT.CN released [Official Announcement] Announcement regarding the abnormality of Baota panel or Nginx

In order to make it easier for many friends to get a VPS or server, they install the panel directly, such as our common Pagoda panel. When we evaluate VPS, we occasionally install the Pagoda panel to see the installation time, Pagoda running scores, local File upload and download speed. Recently, some friends reported that accessing sites on the server jumps to illegal websites. The official responded to this today. Friends who use the Pagoda panel can pay attention if there is any abnormality.

Pagoda server panel, one-click all-round deployment and management, give you a 3188 yuan gift package, click me to receive it .cn/?invite_code=MV9kaG5wYWk=

The following is the original content of the post "[Official Announcement] Regarding the Abnormality of Baota Panel or Nginx" published by Baota BT.CN:

Currently, some users have reported being hacked. Our company immediately organized a technical team to follow up and investigate. After 2 days of emergency investigation, no security vulnerabilities in Nginx and panels have been found, and there have been no large-scale cases of hacking. After analysis, the main behavior of this Trojan is to tamper with the Nginx main program to tamper with the website response content. At present, we have received a total of 10 user feedbacks that websites have been hacked, all of which are overseas servers. We will continue to fully follow up and assist users to investigate the Nginx hacking situation until the source is traced and the results are obtained. If Nginx is hacked, please contact us and we will follow up and resolve it for free. Contact number: 0769-23030556, QQ: 2839983100

Explanation on the misinformation on the Internet that the nginxBak file is a Trojan horse:

nginxBak file is when updating nginx in the panel, the panel will automatically back up an nginxBak file to prevent the update from being unable to recover after an abnormality occurs. For example, the previous nginx version was 1.22.0. If you click Update on the panel, it will be updated to 1.22. 1. A copy of the main program file of 1.22.0 will be backed up as nginxBak. If the file sizes are inconsistent, it is because of the different installation methods. The installation size of the speed installation package is generally 5M, and the size of the compiled installation package is about 10M or more. , and the update is a compilation update. The above nginxBak is not a horse-mounted file.

The following are the currently known Trojan characteristics: Obvious phenomenon: Visiting your own website jumps to other illegal websites. If the above phenomenon occurs, check whether it meets the following characteristics 1. Use incognito mode to access the js file of the target website. The content contains: _0xd4d9 or _0x2551 keywords 2. Panel logs and system logs have been cleared 3. /www/server/nginx/sbin/nginx has been replaced, or /www/server/nginx/conf/btwaf exists /config file 4. The first installed nginx exists in the /www/server/panel/data/nginx_md5.pl file, which can be compared with the existing file to confirm whether it has been modified (nginx_md5.pl file is used to record the last installation The md5 value of nginx. If your website is abnormal, you can open this file and compare it with the current /www/server/nginx/sbin/nginx file md5)

Not sure if it matches? You can check the following commands by yourself. If there is output when executing the command, it means that the server is abnormal. Please contact us in time

curl -sSO http://download.bt.cn/tools/w_check.py && btpython w_check.py && rm -rf w_check.py

In addition, for users who are using it normally without any abnormal problems, we give reinforcement suggestions. If you are worried about the risks of the panel, you can log in to the terminal and execute the bt stop command to stop the panel service (the command to start the service is bt restart). Stopping the panel service does not Will affect the normal operation of your website.

Secondly, the following measures can be taken in the Pagoda panel to strengthen the website, panel, and server. 1. Upgrade the panel to the latest version. It is already the latest version. Repair the panel on the homepage and enable BasicAuth authentication. 2. Upgrade nginx to the current version. The latest sub-version of the main version number, such as 1.22.0 upgraded to 1.22.1, is already the latest version. Please uninstall and reinstall. 3. If the panel or nginx cannot be upgraded temporarily due to production needs, enable BasicAuth authentication and set authorization conditionally. IP5, [Enterprise Edition Anti-tamper-Reconstructed Edition] plug-in can effectively prevent the website from being tampered with. It is recommended to enable and set the root user to prohibit modifying files (then release it when needed). In addition, change the nginx key execution directory (/www/server /nginx/sbin) 6. The [Key Directory Reinforcement] function in the [Pagoda System Reinforcement] plug-in can lock the nginx key execution directory (/www/server/nginx/sbin). This directory will not be used during normal use. There will be any modification behavior, except for reinstallation, other modification behaviors can be regarded as tampering, so lock it.

If there have been obvious problems such as horse hanging or abnormal jumps, you can contact me to help with follow-up for free. Netizens please note that in order to save resources and speed up the processing of this problem, users who have already had problems please contact me. You can add my business WeChat or QQ to contact me directly. Users who have no problems can post and leave messages. Thank you for using the Pagoda Panel.

The above is the full text of the "[Official Announcement] Announcement on Gaiden Baota Panel or Nginx Abnormality" released by Baota BT.CN.

Recommended site searches: Mainland China PHP space, cloud virtual host, web page registration, me domain name registration, Japanese server website, US virtual space, registration-free cdn acceleration, domain name registration information query, US host network, European server,

p>