Some optimizations made after the WEB Service is attacked

The environment is windows + apache + php + tomcat + jk recently found that my WEB server was under attack and tampered with my homepage information. Did I find the cup first, my colleague found this information. After opening the homepage, I found that the tampered homepage information is hidden. Right-click to view the source code and find some inexplicable friendship connections at the bottom. Then, go to the WEB server to find suspicious files and check the WEB access. log for no problems (careless ). Suspicious files are found in the main directory of the website. The 0.jsp 1.jsp 00.php file is found in the main directory of the website and FCK respectively, and three exefiles are found in the fckfolder. In other words, they are saved in the directory, after reading the File Upload date, I checked access again. log File. If a suspicious location is found and a jsp file is executed, copy the address and open it in the browser. It is found that a "Pony" can be successfully executed. After the pony uploads it, they can proceed to the last Trojan and other programs they used. It seems that the program we deployed on the WEB has the Upload Vulnerability. Someone else got webshell. Analysis: because the environment supports jsp and php, you can run php In the jsp environment, and run jsp in the php environment. The upload directory permission also has the execution permission. There is no actual file type verification in the program. Fix: optimize the service: Disable php running from the jsp directory, and remove the script parsing permission of the uploaded directory. Apache configuration file settings are too rough. The configuration file with the configured apacheis. Some static files, such as .jpg. js. png. html, are processed by apache, and all other files are processed by tomcat. Now we need to modify some of the extensions used by tomcat, and others are processed by apache. In this way, the execution of the extension can be rejected, because when apache and tomcat work together, apache will give tomcat the file name processed by tomcat to tomcat and then check the permission ban rules. Because our website uses dynamic addresses, we cannot use the jsp suffix. the extension name of jsp can be handed over to apache for processing. You can reject the extension or reject it, that is, it will not be executed after the file of the jsp extension is opened, the content of the jsp file is displayed. It cannot be executed even if it is changed to jsp1. Then, you can limit phpphp. There are many online websites. Add php_flag engine off to the directory permission that you do not want php to execute. The final configuration file is: # vi uriworkermap. properties ### the suffix JkMount/* is assigned to tomcat /*. key tomcatJkMount /*. aaa tomcat ...... Httpd. conf configuration file modification # vi httpd. conf ### this directory does not allow php scripts to be run or disabled. jsp *,. php * suffix <Directory "D: \ opt \ www \ webroot"> php_flag engine off <Files ~ "\. (Php | jsp)"> Order allow, deny Deny from all </Files> </Directory> www.2cto.com restart the apache service and test it !!! The above configurations have been tested in person. Please give me some advice on poor writing and hard reading. Program Optimization: program optimization is to make a real file type to determine whether the file can be uploaded.