Learn about Centmin Mod LEMP Stack today
Become a Member

Nginx File owner and web users question

Discussion in 'Nginx and PHP-FPM news & discussions' started by sds, Aug 11, 2022.

  1. sds

    sds New Member

    12
    0
    1
    Jan 17, 2015
    Ratings:
    +0
    Local Time:
    4:41 AM
    1.6.2
    MariaDB 10
    I am in the middle of trying to close a wordpress hack. As such, I'm evaluating users/file owners/permissions. I read this and it seems reasonable. CMM has everything owned by nginx:nginx. This write-up recommends against it and has recommendations for the specifying the web user. Why should I not follow this advice? Is it unnecessary?


    NGINX and PHP-FPM. What my permissions should be? - GetPageSpeed
     
  2. eva2000

    eva2000 Administrator Staff Member

    49,599
    11,388
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,694
    Local Time:
    7:41 PM
    Nginx 1.21.x
    MariaDB 10.x
    1. Are you able to provide details of the hack and how it came to be?
    2. How was Wordpress installed, and what plugins were used?
    3. Was it on a server you only had access to or did other admins and site owners had access to as well?
    and
    1. Is this a hack on a Centmin Mod powered server? If it was, I can offer to log into your server and take a quick look to see if I can find their entry point for you.
    2. Was the Wordpress site created using Centmin Mod's centmin.sh menu option 22 Wordpress auto installer https://community.centminmod.com/th...l-vs-centmin-sh-menu-option-22-install.15435/ or was it a Wordpress installation migrated from a non-Centmin Mod powered server to Centmin Mod?
    3. If it was Centmin Mod centmin.sh option 22 based, the installer would create a wpinfo.sh script at /usr/local/nginx/conf/wpincludes/ will when run will provide output summary of your Wordpress install, you can see and provide a list of plugins and themes from that output (not the sensitive info don't post that publicly) i.e. for wpce.domain.com created Wordpress site
      Code (Text):
      /usr/local/nginx/conf/wpincludes/wpce.domain.com/wpinfo.sh
      WP-CLI 2.6.0
      WP-Home    http://wpce.domain.com
      WP-SiteURL http://wpce.domain.com
      WordPress  version:   6.0
      Database   revision:  51917
      TinyMCE    version:   4.9110  (49110-20201110)
      Package    language:  en_US
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      | ID     | user_login                         | display_name | user_email                  | user_registered     | roles         |
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      | 173432 | zxiJECpWGdHf0YFeijqCOhIy9Fxtwp4317 | George       | user@domain.com | 2022-06-06 16:33:04 | administrator |
      +--------+------------------------------------+--------------+-----------------------------+---------------------+---------------+
      +----------------------+------------------------------------------------------------------+----------+
      | name                 | value                                                            | type     |
      +----------------------+------------------------------------------------------------------+----------+
      | table_prefix         | 22188_                                                           | variable |
      | WP_CACHE             | 1                                                                | constant |
      | DB_NAME              | wp2529014860db_9123                                              | constant |
      | DB_USER              | wpdb9123u28826                                                   | constant |
      | DB_PASSWORD          | wpdb6n6RDfPwGd5s5NeurQp8095                                      | constant |
      | DB_HOST              | localhost                                                        | constant |
      | DB_CHARSET           | utf8                                                             | constant |
      | DB_COLLATE           |                                                                  | constant |
      | DISABLE_WP_CRON      |                                                                  | constant |
      | WP_AUTO_UPDATE_CORE  | minor                                                            | constant |
      | WP_POST_REVISIONS    | 10                                                               | constant |
      | EMPTY_TRASH_DAYS     | 10                                                               | constant |
      | WP_CRON_LOCK_TIMEOUT | 60                                                               | constant |
      | CONCATENATE_SCRIPTS  |                                                                  | constant |
      | AUTH_KEY             | z/SE4bDs}_vhtw>N}^ejsNa[H#=K{WiM&S j=+X]^)<y=A<pe[;YRekl(qeD+!P| | constant |
      | SECURE_AUTH_KEY      | VJO3LG+.#/^<`UMFp8cbqobj>rom9NA*]KG-[37Hti[z7ju%JCsW_equ{v*)LvV( | constant |
      | LOGGED_IN_KEY        | HYzWiV1$S9s@W@)p]PLUa.x=z)hOZuEb%OtJ0lplI->r>IZUC>AJ=n6f{) ^c|ef | constant |
      | NONCE_KEY            | 9-.v@5pema/~c2rVJsSpvAN1PT>&zr_xi<r#/KqJ5geTbZbM)#Vu==5=Bz1J}=(/ | constant |
      | AUTH_SALT            | ^@3nJcME0SVv@]*!rxZ+.S&RBu%XTV9lPXXZ@nO>;O]H09@^}im~p$s (-XI*@,0 | constant |
      | SECURE_AUTH_SALT     | xk);Hi2K:H=d}]S/8b|qW.GCz}`UF2($Lc;u_~7W_dovXwCZZ;KvpGm(ZETjUOmr | constant |
      | LOGGED_IN_SALT       | B<#CE6`P|U0jk;UL+7Fa$bJA-T=+nrYA(BTk|9Mc4._Rj#eb;:Kc%(,G_8:GWvO` | constant |
      | NONCE_SALT           | tE&1D8Zo9QB%/Eh`q[ukNUiJ!-XV:/]K6Wbl<q+]ypD%1(]j4TrvxQ0<]6`Mm{[? | constant |
      | WP_CACHE_KEY_SALT    | mq`%/-9^Hcy5TMI3z?zBC/RK^GsP uZpo*qpb~k^Jlp 6TN,iL oq8S<hutIbr1< | constant |
      | WP_DEBUG             |                                                                  | constant |
      +----------------------+------------------------------------------------------------------+----------+
      +-------------------------------+----------+--------+---------+
      | name                          | status   | update | version |
      +-------------------------------+----------+--------+---------+
      | akismet                       | inactive | none   | 4.2.4   |
      | autoptimize                   | active   | none   | 3.0.4   |
      | autoptimize-gzip              | active   | none   | 0.1     |
      | block-specific-plugin-updates | active   | none   | 3.2     |
      | cache-enabler                 | active   | none   | 1.4.9   |
      | cdn-enabler                   | active   | none   | 2.0.5   |
      | classic-editor                | active   | none   | 1.6.2   |
      | disable-xml-rpc               | active   | none   | 1.0.1   |
      | sucuri-scanner                | active   | none   | 1.8.30  |
      | advanced-cache.php            | dropin   | none   |         |
      +-------------------------------+----------+--------+---------+
      +-----------------+----------+--------+---------+
      | name            | status   | update | version |
      +-----------------+----------+--------+---------+
      | twentytwenty    | inactive | none   | 2.0     |
      | twentytwentyone | inactive | none   | 1.6     |
      | twentytwentytwo | active   | none   | 1.2     |
      +-----------------+----------+--------+---------+
      
    4. If it was non-Centmin Mod, was it another LEMP stack control panel or your own LEMP setup?
    Some background details might help too
    1. Which version of Centmin Mod are you using? 123.08stable, 123.09beta01, 124.00stable or 130.00beta01?
    2. For the latter 3 versions, you can run this command and share the output for the versions history listed
      Code (Text):
      cminfo versions
    The current answer lies in Centmin Mod's development history as it's a fork of the original Centmin project so the vhost structure originated there - see https://community.centminmod.com/threads/jailed-chrooted-sftp-ssh-user-nginx-vhost-menu.8/ and my history on focusing on performance and scalability of servers for forum community centric users https://community.centminmod.com/threads/history-of-centmin-mod-from-2011.22733/

    So even the FTP user that is created by Centmin Mod isn't an actual Linux user but a Pure-Ftpd virtual FTP user https://community.centminmod.com/th...-sftp-ssh-user-nginx-vhost-menu.8/#post-10139

    It is necessary if you intend to some form of shared hosting or hosting sites you do not 100% administer or control yourself.

    As it stands, Centmin Mod was never intended for shared hosting as reflected in Centmin Mod’s FAQ item #2 and doesn't create an actual Linux user for each site, so that's why there aren't per-user PHP-FPM pools. To do so would need a total rewrite of Centmin Mod's Nginx vhost creation setup - there are plans for this eventually though as I've tried various ways which I am currently not satisfied with from both my developer end and also with Centmin Mod end users complications/issues in mind - including breaking existing Centmin Mod Nginx vhost setups. So not ruling it out.

    I have experimented with it in looking at chroot/jailed Centmin Mod Nginx sites - see the last experiment which is old at https://community.centminmod.com/th...-sftp-ssh-user-nginx-vhost-menu.8/#post-33453

    But there are performance limitations of doing per-user PHP-FPM pools as they'd have to be run via PHP-FPM unix sockets. In the article see the listen directive uses a Unix socket rather than a TCP listener on a port
    Code (Text):
    listen = /var/run/php-fpm/example.com.sock
    listen.owner = example
    listen.group = example
    listen.mode = 0660
    user = example
    group = example
    

    You can see the difference in scalability for TCP vs Unix Sockets for PHP-FPM in benchmarks at https://community.centminmod.com/th...e-vs-webinoly-vs-vestacp-vs-oneinstack.14988/ where OneInStack's PHP-FPM Unix socket implementation fails to scale and results is slower PHP response times in high concurrent user loads in 1,000, 2,000 and 5,000 user concurrency PHP-FPM load tests with PHP-FPM Unix socket setup only successfully processing 30-42% of the requests compared to 95-100% of requests for PHP-FPM TCP implementations like on Centmin Mod and other LEMP stacks. What this means is you potentially need much beefier spec hardware for servers running with PHP-FPM Unix socket to get closer to PHP-FPM performance of a PHP-FPM TCP based setup.

    Mostly likely how I'd tackle this is to offer up both Nginx vhost creation methods, existing PHP-FPM TCP nginx user and new per user PHP-FPM Unix socket pools, but really do that you'd need 2 PHP-FPM master/service instances which also means more PHP-FPM resources consumed (on top of PHP-FPM Unix Sockets requiring more hardware resources to scale at the high concurrency end).
     
  3. sds

    sds New Member

    12
    0
    1
    Jan 17, 2015
    Ratings:
    +0
    Local Time:
    4:41 AM
    1.6.2
    MariaDB 10
    I apologize for putting this in the wrong place. Please move if you want.

    1. I don't know the attack vector yet. Been fighting this for two months.
    2. Wordpress was installed on my own before I moved to CMM. I have multiple sites. Shuttered many of them recently. The plug-ins vary from site to to site. My remaining three sites all show penetrations from time to time. So, someone is moving around from directory to directory.
    3. I'm the only admin, except for Matt Services, who does sysadmin for me.

    1. Yes. It is a CMM. I had Matt set this up for me.You are welcome to look around.
    2. No. I set all instances up on my own. I use Genesis themes. Plug-in use is not extensive (I don't think).
    3. N/A
    4. I guess this specific LEMP server was setup fresh by Matt using CMM. I have migrated from different servers over the years. Now with Hivelocity. No control panel.

    1/2:
    1st:
    123.09beta01.b573 #Tue Sep 1 08:28:19 EDT 2020
    ..
    last 10:
    123.09beta01.b573 #Tue Sep 1 08:28:19 EDT 2020
    123.09beta01.b573 #Tue Sep 1 15:16:29 UTC 2020
    123.09beta01.b589 #Fri Sep 18 14:36:47 UTC 2020
    123.09beta01.b608 #Sat Feb 27 08:17:23 UTC 2021
    123.09beta01.b655 #Sat Feb 27 08:25:45 UTC 2021
    123.09beta01.b655 #Sat Feb 27 08:57:54 UTC 2021
    123.09beta01.b655 #Sat Feb 27 09:01:43 UTC 2021
    123.09beta01.b792 #Mon Feb 7 11:40:03 UTC 2022
    123.09beta01.b792 #Mon Feb 7 11:54:03 UTC 2022

    I hope this was helpful.
     
  4. eva2000

    eva2000 Administrator Staff Member

    49,599
    11,388
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,694
    Local Time:
    7:41 PM
    Nginx 1.21.x
    MariaDB 10.x
    123.09beta01 is old now, 124.00stable and 130.00beta01 have been released https://community.centminmod.com/threads/centmin-mod-124-00stable-130-00beta01-releases.22673/ though probably not related to your issues.

    If you had installed Wordpress on your own on non-Centmin Mod server prior, that it's also probably you brought alone hacked/compromised Wordpress instances to Centmin Mod server. With access, I can do a quick looksy just to see. @sds sent you a private conversation message here as well.