Welcome to the Cumulus Support forum.
Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024
Cumulus MX V4 beta test release 4.0.0 (build 4019) - 03 April 2024
Legacy Cumulus 1 release 1.9.4 (build 1099) - 28 November 2014
(a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)
Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki
Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024
Cumulus MX V4 beta test release 4.0.0 (build 4019) - 03 April 2024
Legacy Cumulus 1 release 1.9.4 (build 1099) - 28 November 2014
(a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)
Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki
Website hacked
Moderator: daj
-
- Posts: 1815
- Joined: Sat 17 Dec 2011 11:55 am
- Weather Station: Davis Vantage Pro2
- Operating System: Windows 11 x64
- Location: Dorset - UK
- Contact:
Website hacked
As the title suggests, my website was hacked. That's the second time in 6 months.
I don't know quite how they are doing it, but I fixed it last time. This time however, I can't find the code injection.
Basically, I was checking my Google statistics, and it showed me that my canonical had changed to 'crackheaps.com' which is what happened last time. This means that Google will not index your site any more, as it's treated as 'bad' and referrals go off to dodgy sites.
Code is somehow being injected in to somewhere on my site, but I cannot find it.
Don't ever think a weather website cannot be targeted.
I don't know quite how they are doing it, but I fixed it last time. This time however, I can't find the code injection.
Basically, I was checking my Google statistics, and it showed me that my canonical had changed to 'crackheaps.com' which is what happened last time. This means that Google will not index your site any more, as it's treated as 'bad' and referrals go off to dodgy sites.
Code is somehow being injected in to somewhere on my site, but I cannot find it.
Don't ever think a weather website cannot be targeted.
-
- Posts: 1815
- Joined: Sat 17 Dec 2011 11:55 am
- Weather Station: Davis Vantage Pro2
- Operating System: Windows 11 x64
- Location: Dorset - UK
- Contact:
Re: Website hacked
It is shared hosting, yes.
When I do a Google inspection, I find this:
I'm trying to look for 'canonical' in my files, perhaps rel=canonical
But it could also be encoded in a php/js script using an md5 hash.
When I do a Google inspection, I find this:
Code: Select all
User-declared canonical
https://serialms.com/n/d/spyware/spyware+doctor+2020/
Google-selected canonical
info
https://crackheaps.com/
But it could also be encoded in a php/js script using an md5 hash.
- saratogaWX
- Posts: 1196
- Joined: Wed 06 May 2009 5:02 am
- Weather Station: Davis Vantage Pro Plus
- Operating System: Windows 10 Professional
- Location: Saratoga, CA, USA
- Contact:
Re: Website hacked
I've sent a PM with a link to a tool I developed to spot malware on PHP sites.
Best regards,
Ken
p.s. I've used this to help disinfect about 10 sites for folks so far.
Best regards,
Ken
p.s. I've used this to help disinfect about 10 sites for folks so far.
- ConligWX
- Posts: 1630
- Joined: Mon 19 May 2014 10:45 pm
- Weather Station: Davis vPro2+ w/DFARS + AirLink
- Operating System: Ubuntu 22.04 LTS
- Location: Bangor, NI
- Contact:
Re: Website hacked
you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?
i'm guessing either a webport or sql port injection.
also you have missing http header settings:
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
you should be able to enable these via .htaccess if your running apache.
i'm guessing either a webport or sql port injection.
also you have missing http header settings:
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
you should be able to enable these via .htaccess if your running apache.
Regards Simon
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
- KarlS
- Posts: 137
- Joined: Tue 30 Nov 2010 3:01 pm
- Weather Station: Ecowitt GW1003 / WH32 / WH41
- Operating System: 64bit Bookworm on Pi4
- Location: Bridge Lake, BC, Canada
- Contact:
Re: Website hacked
@simonConligWX wrote: ↑Fri 30 Apr 2021 11:08 pm you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?
i'm guessing either a webport or sql port injection.
also you have missing http header settings:
Strict-Transport-Security
X-Frame-Options
X-XSS-Protection
you should be able to enable these via .htaccess if your running apache.
For me this isn't really helpful. This is a weather enthusiast forum, so most of us don't know about "webport or sql port injection" or even the .htaccess file on our hosting platform. Instead of requiring me to google all this info, why don't you just say what changes need to be made to the .htaccess file or how to restrict port access.
- saratogaWX
- Posts: 1196
- Joined: Wed 06 May 2009 5:02 am
- Weather Station: Davis Vantage Pro Plus
- Operating System: Windows 10 Professional
- Location: Saratoga, CA, USA
- Contact:
Re: Website hacked
On Shared hosting platforms, website owners seldom have the ability to control/filter ports open to the internet.. that's determined by the hosting company. Usualy, they are conservative and only open ports necessary for operation or maintenance by the website owners. 80/443 for web, 21 for FTP, 22 for SSH, 53(UDP) for DNS, and perhaps some ports for mail (POP/IMAP/SMTP). Normally SQL server direct access is blocked from the internet (thank goodness!), so SQL injection attacks are only successful against poorly designed/configured apps getting stuff jammed into arguments (GET/POST or supplied cookies).
Also, on a shared server, if one of the websites is compromised, and the miscreant is lucky, they might be able to infect multiple sites via the filesystem for the webserver.
The vast majority of personal weather websites using the default weather software template, my, or Wim's PHP templates will not experience the issues unless they install other software that might have poor argument handling. I know that both WIm and I screen/distrust all things arriving via arguments to scripts.
As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.
BTW, the scan of the website showed no back-door RCE portals on the site.
Also, on a shared server, if one of the websites is compromised, and the miscreant is lucky, they might be able to infect multiple sites via the filesystem for the webserver.
The vast majority of personal weather websites using the default weather software template, my, or Wim's PHP templates will not experience the issues unless they install other software that might have poor argument handling. I know that both WIm and I screen/distrust all things arriving via arguments to scripts.
As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.
BTW, the scan of the website showed no back-door RCE portals on the site.
- HansR
- Posts: 5963
- Joined: Sat 20 Oct 2012 6:53 am
- Weather Station: GW1100 (WS80/WH40)
- Operating System: Raspberry OS/Bookworm
- Location: Wagenborgen (NL)
- Contact:
Re: Website hacked
Second thatsaratogaWX wrote: ↑Sat 01 May 2021 1:18 am As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.
Hans
https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
-
- Posts: 3390
- Joined: Wed 06 May 2009 6:29 pm
- Weather Station: Davis VP2 with Daytime FARS
- Operating System: Windows XP SP3
- Location: Cheadle Hulme, Cheshire, England
- Contact:
Re: Website hacked
How depressing that some low life would do this to something as innocuous as a weather site.
My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya!
Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.
My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya!
Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.
-
- Posts: 1815
- Joined: Sat 17 Dec 2011 11:55 am
- Weather Station: Davis Vantage Pro2
- Operating System: Windows 11 x64
- Location: Dorset - UK
- Contact:
Re: Website hacked
That's who I am with.
It's down to the end user to try and keep a website free of anything malicious. Using Google's inspection tool is helpful in finding out if there's any issues, which is how I found mine.
Canonical hacks are becoming more widespread it seems.
Anyway, I have managed to fix it. I requested a new index from Google's bot yesterday, and today it has now put me back in the listings. I always have full website backup's at the ready if something goes really bad, so I can reset my whole site.
-
- Posts: 3390
- Joined: Wed 06 May 2009 6:29 pm
- Weather Station: Davis VP2 with Daytime FARS
- Operating System: Windows XP SP3
- Location: Cheadle Hulme, Cheshire, England
- Contact:
Re: Website hacked
@Mapantz, well that’s concerning but as I said in my earlier post I just don’t have those skills and have no real desire to learn them. It’s like saying that because you enjoy driving you should be capable of fixing your car when it goes wrong.
Maybe I have fewer ports open. And after last month’s HDD crash my backup strategy was proven to be reliable.
Maybe I have fewer ports open. And after last month’s HDD crash my backup strategy was proven to be reliable.
- ConligWX
- Posts: 1630
- Joined: Mon 19 May 2014 10:45 pm
- Weather Station: Davis vPro2+ w/DFARS + AirLink
- Operating System: Ubuntu 22.04 LTS
- Location: Bangor, NI
- Contact:
Re: Website hacked
Unfortunately we hope and pray all hosting companies of our data look after it all the time. but that is never the case.RayProudfoot wrote: ↑Sat 01 May 2021 2:33 pm How depressing that some low life would do this to something as innocuous as a weather site.
My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya!
Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.
15 days of stats (these are malicious attempts against my own Webserver)
Just shows you no one is safe.
You do not have the required permissions to view the files attached to this post.
Regards Simon
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
- HansR
- Posts: 5963
- Joined: Sat 20 Oct 2012 6:53 am
- Weather Station: GW1100 (WS80/WH40)
- Operating System: Raspberry OS/Bookworm
- Location: Wagenborgen (NL)
- Contact:
Re: Website hacked
And how do you classify those?
What is the analysis method?
What is the analysis method?
Hans
https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
- ConligWX
- Posts: 1630
- Joined: Mon 19 May 2014 10:45 pm
- Weather Station: Davis vPro2+ w/DFARS + AirLink
- Operating System: Ubuntu 22.04 LTS
- Location: Bangor, NI
- Contact:
Re: Website hacked
the UDM Pro I have has built in DPI and then IPS/IDS software (Suricata v5.05). The GUI allow you to select various level of sensitivity (1-5) and then customize the threat management threat types (35 of them in total)
Regards Simon
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
- HansR
- Posts: 5963
- Joined: Sat 20 Oct 2012 6:53 am
- Weather Station: GW1100 (WS80/WH40)
- Operating System: Raspberry OS/Bookworm
- Location: Wagenborgen (NL)
- Contact:
Re: Website hacked
Well, nice, I assume this UDF is the abbreviation fo rthe Ubiquity Dream Machine. But also not very common, not cheap (for just a router) and not something for the average meteo hobbyist (neither is Suricata). And apparently you host your own site because this does not help for detection at the hoster I think. Or do I miss something?
It is a techies play toy
It is a techies play toy
Hans
https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3
https://meteo-wagenborgen.nl
CMX build 4017+ ● RPi 3B+ ● Raspbian Linux 6.1.21-v7+ armv7l ● dotnet 8.0.3