[Security Alert] Baota Panel suspected vulnerability or Nginx abnormality

For the convenience of many friends, panels are directly installed on VPS or servers, such as the common Baota panel. Recently, some friends reported that visiting sites on the server jumped to illegal websites. The official also responded to this today. Friends who use Baota panel can pay attention to it if any abnormalities occur.

The following are the currently known Trojan characteristics:
Obvious phenomenon: Visiting your own website jumps to other illegal websites. If the above phenomenon occurs, check whether it meets the following characteristics
1. Use Incognito mode to access the js file of the target website, and the content contains: _0xd4d9 or _0x2551 keywords
2. Panel logs and system logs have been cleared
3. /www/server/nginx/sbin/nginx is replaced, or /www/server/nginx/conf/btwaf/config file exists
4. The first-time installed nginx has a /www/server/panel/data/nginx_md5.pl file, which can be compared with the existing file to confirm whether it has been modified (the nginx_md5.pl file is used to record the md5 value of the last installation of nginx. If your website is abnormal, you can open this file and compare it with the current /www/server/nginx/sbin/nginx file md5)

In addition, for users who have no abnormal problems and use the system normally, we provide reinforcement suggestions. If you are worried about the risks of the panel, you can log in to the terminal and execute the bt stop command to stop the panel service (the command to start the service is bt restart). Stopping the panel service will not affect the normal operation of your website.
Secondly, the following measures can be taken in the Baota panel to strengthen the website, panel, and server
1. Upgrade the panel to the latest version. If it is already the latest version, repair the panel on the home page and enable BasicAuth authentication.
2. Upgrade nginx to the latest sub-version of the current main version number, such as 1.22.0 to 1.22.1, which is already the latest version, please uninstall and reinstall
3. If the panel or nginx cannot be upgraded temporarily due to production needs, enable BasicAuth authentication and set the authorized IP conditionally.
5. [Enterprise Anti-Tampering - Refactored Edition] plug-in can effectively prevent the website from being tampered with. It is recommended to enable and set the root user to prohibit modifying files (release it when needed). In addition, lock the key execution directory of nginx (/www/server/nginx/sbin)
6. The [Key Directory Reinforcement] function in the [Baota System Reinforcement] plug-in can lock the nginx key execution directory (/www/server/nginx/sbin). This directory will not be modified in normal use. Except for reinstallation, other modifications can be regarded as tampering, so it is locked.

Official description: https://www.bt.cn/bbs/thread-105121-1-1.html