On Wed, Mar 25, 2015 at 09:04:18AM +1300, Steve Holdoway wrote:

Hi there,

> Just had another attack on a drupal site. Should I resort to weird
> ownership / permissions at a system level?

From what I've read in the thread, you seem to have two possible
approaches.

One is "stop the unwanted files from being uploaded". To do that, you
will need to know how the unwanted files are uploaded -- if they don't
go through nginx, no nginx config will block them.

(If they *do* go through nginx, then there may be some correlation
between file modification times and nginx request logs which indicates
what request leads to the files being uploaded.)

Are there ftp or scp or other logs indicating how these files are put
onto your server?

The other is "stop the unwanted files from being served"; but I think
you also indicated that the unwanted files were being actively executed
on your server.

> That just makes it really
> difficult for the client to keep their site current, which is pretty
> counter-productive.

More counter-productive than the reputation damage to running an
exploited server?

You're in damage-control mode. Turn everything off, or make everything
read-only, until you can find out what has happened and can make it right.

Good luck identifying the cause,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx