Welcome to the Cumulus Support forum.

Latest Cumulus MX release 3.11.4 (build 3133) - 25 May 2021 (please see announcement regarding releases since 3.5.0)
Legacy Cumulus 1 release v1.9.4 (build 1099) - 28 November 2014 (a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)

Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki

Website hacked

Other discussion about creating web sites for Cumulus that doesn't have a specific subforum

Moderator: daj

Mapantz
Posts: 979
Joined: Sat 17 Dec 2011 11:55 am
Weather Station: Davis Vantage Pro2
Operating System: Windows 10 x64
Location: Dorset - UK
Contact:

Website hacked

Post by Mapantz »

As the title suggests, my website was hacked. That's the second time in 6 months.

I don't know quite how they are doing it, but I fixed it last time. This time however, I can't find the code injection.

Basically, I was checking my Google statistics, and it showed me that my canonical had changed to 'crackheaps.com' which is what happened last time. This means that Google will not index your site any more, as it's treated as 'bad' and referrals go off to dodgy sites.

Code is somehow being injected in to somewhere on my site, but I cannot find it.

Don't ever think a weather website cannot be targeted.
Image

User avatar
mcrossley
Posts: 8478
Joined: Thu 07 Jan 2010 9:44 pm
Weather Station: Davis VP2/WLL
Operating System: Buster Lite rPi
Location: Wilmslow, Cheshire, UK
Contact:

Re: Website hacked

Post by mcrossley »

Oh dear! :o

Is your site on shared hosting?

Mapantz
Posts: 979
Joined: Sat 17 Dec 2011 11:55 am
Weather Station: Davis Vantage Pro2
Operating System: Windows 10 x64
Location: Dorset - UK
Contact:

Re: Website hacked

Post by Mapantz »

It is shared hosting, yes.

When I do a Google inspection, I find this:

Code: Select all

User-declared canonical
https://serialms.com/n/d/spyware/spyware+doctor+2020/
Google-selected canonical

info
https://crackheaps.com/
I'm trying to look for 'canonical' in my files, perhaps rel=canonical

But it could also be encoded in a php/js script using an md5 hash.
Image

User avatar
saratogaWX
Posts: 1077
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

I've sent a PM with a link to a tool I developed to spot malware on PHP sites.

Best regards,
Ken

p.s. I've used this to help disinfect about 10 sites for folks so far.

User avatar
ConligWX
Posts: 1266
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2 Plus w/DFARS
Operating System: Ubuntu 20.04.2 LTS - NUC
Location: Bangor, NI
Contact:

Re: Website hacked

Post by ConligWX »

you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?

i'm guessing either a webport or sql port injection.

also you have missing http header settings:

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

you should be able to enable these via .htaccess if your running apache.
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir PA-II-SD • CumulusMX •

User avatar
KarlS
Posts: 99
Joined: Tue 30 Nov 2010 3:01 pm
Weather Station: Ecowitt GW1003 w/AQ
Operating System: Buster Lite on Pi3
Location: Bridge Lake, BC, Canada
Contact:

Re: Website hacked

Post by KarlS »

ConligWX wrote:
Fri 30 Apr 2021 11:08 pm
you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?

i'm guessing either a webport or sql port injection.

also you have missing http header settings:

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

you should be able to enable these via .htaccess if your running apache.
@simon

For me this isn't really helpful. This is a weather enthusiast forum, so most of us don't know about "webport or sql port injection" or even the .htaccess file on our hosting platform. Instead of requiring me to google all this info, why don't you just say what changes need to be made to the .htaccess file or how to restrict port access.

User avatar
saratogaWX
Posts: 1077
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

On Shared hosting platforms, website owners seldom have the ability to control/filter ports open to the internet.. that's determined by the hosting company. Usualy, they are conservative and only open ports necessary for operation or maintenance by the website owners. 80/443 for web, 21 for FTP, 22 for SSH, 53(UDP) for DNS, and perhaps some ports for mail (POP/IMAP/SMTP). Normally SQL server direct access is blocked from the internet (thank goodness!), so SQL injection attacks are only successful against poorly designed/configured apps getting stuff jammed into arguments (GET/POST or supplied cookies).

Also, on a shared server, if one of the websites is compromised, and the miscreant is lucky, they might be able to infect multiple sites via the filesystem for the webserver.

The vast majority of personal weather websites using the default weather software template, my, or Wim's PHP templates will not experience the issues unless they install other software that might have poor argument handling. I know that both WIm and I screen/distrust all things arriving via arguments to scripts.

As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.

BTW, the scan of the website showed no back-door RCE portals on the site.

User avatar
HansR
Posts: 2166
Joined: Sat 20 Oct 2012 6:53 am
Weather Station: Davis Vantage Pro 2+
Operating System: Raspbian GNU/Linux 10 (Buster)
Location: Wagenborgen (NL)
Contact:

Re: Website hacked

Post by HansR »

saratogaWX wrote:
Sat 01 May 2021 1:18 am
As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.
Second that :!:
Hans

https://meteo-wagenborgen.nl
Cumulus build 3132 ● Davis Vantage Pro 2+ ● RPi 3B+ ● Raspbian 5.10.17-v7+ ● Mono 5.18.0.240

RayProudfoot
Posts: 2952
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Website hacked

Post by RayProudfoot »

How depressing that some low life would do this to something as innocuous as a weather site.

My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya! :o

Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.
Cheers,
Ray, Cheshire.

Image

Mapantz
Posts: 979
Joined: Sat 17 Dec 2011 11:55 am
Weather Station: Davis Vantage Pro2
Operating System: Windows 10 x64
Location: Dorset - UK
Contact:

Re: Website hacked

Post by Mapantz »

RayProudfoot wrote:
Sat 01 May 2021 2:33 pm
HostPresto does my hosting and seems very good.
That's who I am with.

It's down to the end user to try and keep a website free of anything malicious. Using Google's inspection tool is helpful in finding out if there's any issues, which is how I found mine.

Canonical hacks are becoming more widespread it seems.

Anyway, I have managed to fix it. I requested a new index from Google's bot yesterday, and today it has now put me back in the listings. I always have full website backup's at the ready if something goes really bad, so I can reset my whole site.
Image

RayProudfoot
Posts: 2952
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Website hacked

Post by RayProudfoot »

@Mapantz, well that’s concerning but as I said in my earlier post I just don’t have those skills and have no real desire to learn them. It’s like saying that because you enjoy driving you should be capable of fixing your car when it goes wrong.

Maybe I have fewer ports open. And after last month’s HDD crash my backup strategy was proven to be reliable.
Cheers,
Ray, Cheshire.

Image

User avatar
ConligWX
Posts: 1266
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2 Plus w/DFARS
Operating System: Ubuntu 20.04.2 LTS - NUC
Location: Bangor, NI
Contact:

Re: Website hacked

Post by ConligWX »

RayProudfoot wrote:
Sat 01 May 2021 2:33 pm
How depressing that some low life would do this to something as innocuous as a weather site.

My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya! :o

Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.
Unfortunately we hope and pray all hosting companies of our data look after it all the time. but that is never the case.

15 days of stats (these are malicious attempts against my own Webserver)

threat1.JPG
threat2.JPG
Just shows you no one is safe.
You do not have the required permissions to view the files attached to this post.
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir PA-II-SD • CumulusMX •

User avatar
HansR
Posts: 2166
Joined: Sat 20 Oct 2012 6:53 am
Weather Station: Davis Vantage Pro 2+
Operating System: Raspbian GNU/Linux 10 (Buster)
Location: Wagenborgen (NL)
Contact:

Re: Website hacked

Post by HansR »

And how do you classify those?
What is the analysis method?
Hans

https://meteo-wagenborgen.nl
Cumulus build 3132 ● Davis Vantage Pro 2+ ● RPi 3B+ ● Raspbian 5.10.17-v7+ ● Mono 5.18.0.240

User avatar
ConligWX
Posts: 1266
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2 Plus w/DFARS
Operating System: Ubuntu 20.04.2 LTS - NUC
Location: Bangor, NI
Contact:

Re: Website hacked

Post by ConligWX »

HansR wrote:
Sat 01 May 2021 7:59 pm
And how do you classify those?
What is the analysis method?
the UDM Pro I have has built in DPI and then IPS/IDS software (Suricata v5.05). The GUI allow you to select various level of sensitivity (1-5) and then customize the threat management threat types (35 of them in total)
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir PA-II-SD • CumulusMX •

User avatar
HansR
Posts: 2166
Joined: Sat 20 Oct 2012 6:53 am
Weather Station: Davis Vantage Pro 2+
Operating System: Raspbian GNU/Linux 10 (Buster)
Location: Wagenborgen (NL)
Contact:

Re: Website hacked

Post by HansR »

Well, nice, I assume this UDF is the abbreviation fo rthe Ubiquity Dream Machine. But also not very common, not cheap (for just a router) and not something for the average meteo hobbyist (neither is Suricata). And apparently you host your own site because this does not help for detection at the hoster I think. Or do I miss something?
It is a techies play toy
Hans

https://meteo-wagenborgen.nl
Cumulus build 3132 ● Davis Vantage Pro 2+ ● RPi 3B+ ● Raspbian 5.10.17-v7+ ● Mono 5.18.0.240

Post Reply