Welcome to the Cumulus Support forum.

Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024

Cumulus MX V4 beta test release 4.0.0 (build 4018) - 28 March 2024

Legacy Cumulus 1 release v1.9.4 (build 1099) - 28 November 2014 (a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)

Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki

Website hacked

Other discussion about creating web sites for Cumulus that doesn't have a specific subforum

Moderator: daj

Mapantz
Posts: 1778
Joined: Sat 17 Dec 2011 11:55 am
Weather Station: Davis Vantage Pro2
Operating System: Windows 11 x64
Location: Dorset - UK
Contact:

Website hacked

Post by Mapantz »

As the title suggests, my website was hacked. That's the second time in 6 months.

I don't know quite how they are doing it, but I fixed it last time. This time however, I can't find the code injection.

Basically, I was checking my Google statistics, and it showed me that my canonical had changed to 'crackheaps.com' which is what happened last time. This means that Google will not index your site any more, as it's treated as 'bad' and referrals go off to dodgy sites.

Code is somehow being injected in to somewhere on my site, but I cannot find it.

Don't ever think a weather website cannot be targeted.
Image
User avatar
mcrossley
Posts: 12695
Joined: Thu 07 Jan 2010 9:44 pm
Weather Station: Davis VP2/WLL
Operating System: Bullseye Lite rPi
Location: Wilmslow, Cheshire, UK
Contact:

Re: Website hacked

Post by mcrossley »

Oh dear! :o

Is your site on shared hosting?
Mapantz
Posts: 1778
Joined: Sat 17 Dec 2011 11:55 am
Weather Station: Davis Vantage Pro2
Operating System: Windows 11 x64
Location: Dorset - UK
Contact:

Re: Website hacked

Post by Mapantz »

It is shared hosting, yes.

When I do a Google inspection, I find this:

Code: Select all

User-declared canonical
https://serialms.com/n/d/spyware/spyware+doctor+2020/
Google-selected canonical

info
https://crackheaps.com/
I'm trying to look for 'canonical' in my files, perhaps rel=canonical

But it could also be encoded in a php/js script using an md5 hash.
Image
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

I've sent a PM with a link to a tool I developed to spot malware on PHP sites.

Best regards,
Ken

p.s. I've used this to help disinfect about 10 sites for folks so far.
User avatar
ConligWX
Posts: 1573
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2+ w/DFARS + AirLink
Operating System: Ubuntu 22.04 LTS
Location: Bangor, NI
Contact:

Re: Website hacked

Post by ConligWX »

you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?

i'm guessing either a webport or sql port injection.

also you have missing http header settings:

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

you should be able to enable these via .htaccess if your running apache.
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir •

Image
User avatar
KarlS
Posts: 135
Joined: Tue 30 Nov 2010 3:01 pm
Weather Station: Ecowitt GW1003 / WH32 / WH41
Operating System: Buster Lite on Pi4
Location: Bridge Lake, BC, Canada
Contact:

Re: Website hacked

Post by KarlS »

ConligWX wrote: Fri 30 Apr 2021 11:08 pm you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?

i'm guessing either a webport or sql port injection.

also you have missing http header settings:

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

you should be able to enable these via .htaccess if your running apache.
@simon

For me this isn't really helpful. This is a weather enthusiast forum, so most of us don't know about "webport or sql port injection" or even the .htaccess file on our hosting platform. Instead of requiring me to google all this info, why don't you just say what changes need to be made to the .htaccess file or how to restrict port access.
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Website hacked

Post by saratogaWX »

On Shared hosting platforms, website owners seldom have the ability to control/filter ports open to the internet.. that's determined by the hosting company. Usualy, they are conservative and only open ports necessary for operation or maintenance by the website owners. 80/443 for web, 21 for FTP, 22 for SSH, 53(UDP) for DNS, and perhaps some ports for mail (POP/IMAP/SMTP). Normally SQL server direct access is blocked from the internet (thank goodness!), so SQL injection attacks are only successful against poorly designed/configured apps getting stuff jammed into arguments (GET/POST or supplied cookies).

Also, on a shared server, if one of the websites is compromised, and the miscreant is lucky, they might be able to infect multiple sites via the filesystem for the webserver.

The vast majority of personal weather websites using the default weather software template, my, or Wim's PHP templates will not experience the issues unless they install other software that might have poor argument handling. I know that both WIm and I screen/distrust all things arriving via arguments to scripts.

As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.

BTW, the scan of the website showed no back-door RCE portals on the site.
User avatar
HansR
Posts: 5871
Joined: Sat 20 Oct 2012 6:53 am
Weather Station: GW1100 (WS80/WH40)
Operating System: Raspberry OS/Bullseye
Location: Wagenborgen (NL)
Contact:

Re: Website hacked

Post by HansR »

saratogaWX wrote: Sat 01 May 2021 1:18 am As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.
Second that :!:
Hans

https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
RayProudfoot
Posts: 3373
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Website hacked

Post by RayProudfoot »

How depressing that some low life would do this to something as innocuous as a weather site.

My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya! :o

Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.
Cheers,
Ray, Cheshire.

Image
Mapantz
Posts: 1778
Joined: Sat 17 Dec 2011 11:55 am
Weather Station: Davis Vantage Pro2
Operating System: Windows 11 x64
Location: Dorset - UK
Contact:

Re: Website hacked

Post by Mapantz »

RayProudfoot wrote: Sat 01 May 2021 2:33 pmHostPresto does my hosting and seems very good.
That's who I am with.

It's down to the end user to try and keep a website free of anything malicious. Using Google's inspection tool is helpful in finding out if there's any issues, which is how I found mine.

Canonical hacks are becoming more widespread it seems.

Anyway, I have managed to fix it. I requested a new index from Google's bot yesterday, and today it has now put me back in the listings. I always have full website backup's at the ready if something goes really bad, so I can reset my whole site.
Image
RayProudfoot
Posts: 3373
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Website hacked

Post by RayProudfoot »

@Mapantz, well that’s concerning but as I said in my earlier post I just don’t have those skills and have no real desire to learn them. It’s like saying that because you enjoy driving you should be capable of fixing your car when it goes wrong.

Maybe I have fewer ports open. And after last month’s HDD crash my backup strategy was proven to be reliable.
Cheers,
Ray, Cheshire.

Image
User avatar
ConligWX
Posts: 1573
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2+ w/DFARS + AirLink
Operating System: Ubuntu 22.04 LTS
Location: Bangor, NI
Contact:

Re: Website hacked

Post by ConligWX »

RayProudfoot wrote: Sat 01 May 2021 2:33 pm How depressing that some low life would do this to something as innocuous as a weather site.

My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya! :o

Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.
Unfortunately we hope and pray all hosting companies of our data look after it all the time. but that is never the case.

15 days of stats (these are malicious attempts against my own Webserver)

threat1.JPG
threat2.JPG
Just shows you no one is safe.
You do not have the required permissions to view the files attached to this post.
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir •

Image
User avatar
HansR
Posts: 5871
Joined: Sat 20 Oct 2012 6:53 am
Weather Station: GW1100 (WS80/WH40)
Operating System: Raspberry OS/Bullseye
Location: Wagenborgen (NL)
Contact:

Re: Website hacked

Post by HansR »

And how do you classify those?
What is the analysis method?
Hans

https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
User avatar
ConligWX
Posts: 1573
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2+ w/DFARS + AirLink
Operating System: Ubuntu 22.04 LTS
Location: Bangor, NI
Contact:

Re: Website hacked

Post by ConligWX »

HansR wrote: Sat 01 May 2021 7:59 pm And how do you classify those?
What is the analysis method?
the UDM Pro I have has built in DPI and then IPS/IDS software (Suricata v5.05). The GUI allow you to select various level of sensitivity (1-5) and then customize the threat management threat types (35 of them in total)
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir •

Image
User avatar
HansR
Posts: 5871
Joined: Sat 20 Oct 2012 6:53 am
Weather Station: GW1100 (WS80/WH40)
Operating System: Raspberry OS/Bullseye
Location: Wagenborgen (NL)
Contact:

Re: Website hacked

Post by HansR »

Well, nice, I assume this UDF is the abbreviation fo rthe Ubiquity Dream Machine. But also not very common, not cheap (for just a router) and not something for the average meteo hobbyist (neither is Suricata). And apparently you host your own site because this does not help for detection at the hoster I think. Or do I miss something?
It is a techies play toy
Hans

https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
Post Reply