et.fz
May 29, 2023, 12:26pm
1
Hi,
New to Hestia. I noticed that if I suspend a domain, certain pages return a 404 page instead of the suspended page. I suspect this is not the intended behavior.
On a site containing the following files in the document root:
index.php
info.html
info.php
I get the following results:
http://example.com
→ Suspended
http://example.com/index.html
→ Suspended
http://example.com/index.php
→ 404
http://example.com/info.html
→ Suspended
http://example.com/info.php
→ 404
Same results if I use an index.html
instead of index.php
.
HestiaCP v1.7.7 with Apache, nginx and PHP-FPM. Debian 11.7.
eris
May 29, 2023, 1:28pm
2
It probally tries the run php code as as php even if if it doesn’t really exists…
If a website is compromised a hacker can force the execution of PHP simply vñby generating visits from a botnet.
We can’t defend ourselves by suspending the website.
et.fz
May 31, 2023, 6:48am
4
So, is this the intended behaviour or no? Would a bug report be in order? If I suspend a site I would expect it to indicate such regardless of path. I am not necessarily looking to defend against attacks.
eris
May 31, 2023, 8:51am
5
opened 01:50PM - 24 Jun 22 UTC
bug
web
### Describe the bug
If you suspend a web domain, some urls are stil visible in… wordpress.
Several wordpresses have been hacked and I am getting traffic from semrush with queries such as:
cat /var/log/apache2/domains/mydomain.com.log
185.191.171.2 - - [23/Jun/2022:02:49:25 +0200] "GET /?bestialized1364296_html HTTP/1.0" 200 12699 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
I need to stop the hacker by suspending the website.
### Tell us how to replicate the bug
Login Hestia > Impersonate user > Web > Suspend domain.
visit: https://mydomain.com -> Error - Website is suspended
visit: https://mydomain.com/?sometexthere -> Shows https://mydomain.com
### Which components are affected by this bug?
(Backend) Web Server (Nginx, Apache2)
### Hestia Control Panel Version
1.6
### Operating system
Debian 11
### Log capture
```shell
185.191.171.15 - - [23/Jun/2022:02:49:04 +0200] "GET /?brumbie8883666_html HTTP/1.0" 200 12699 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
185.191.171.12 - - [23/Jun/2022:02:49:08 +0200] "GET /?deafanddumb7142349.html HTTP/1.0" 301 477 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
185.191.171.11 - - [23/Jun/2022:02:49:11 +0200] "GET /?deafanddumb7142349_html HTTP/1.0" 200 12699 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
185.191.171.2 - - [23/Jun/2022:02:49:15 +0200] "GET /?perturbedly41685646.html HTTP/1.0" 301 478 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
185.191.171.4 - - [23/Jun/2022:02:49:19 +0200] "GET /?perturbedly41685646_html HTTP/1.0" 200 12699 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
185.191.171.6 - - [23/Jun/2022:02:49:22 +0200] "GET /?bestialized1364296.html HTTP/1.0" 301 477 "-" "Mozilla/5.0 (compatible; SemrushBot/7~bl; +http://www.semrush.com/bot.html)"
```
There is allready a bug report about it
system
Closed
June 30, 2023, 1:26pm
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.