Cumulus Support

As the title suggests, my website was hacked. That's the second time in 6 months.

I don't know quite how they are doing it, but I fixed it last time. This time however, I can't find the code injection.

Basically, I was checking my Google statistics, and it showed me that my canonical had changed to 'crackheaps.com' which is what happened last time. This means that Google will not index your site any more, as it's treated as 'bad' and referrals go off to dodgy sites.

Code is somehow being injected in to somewhere on my site, but I cannot find it.

Don't ever think a weather website cannot be targeted.

Oh dear!

Is your site on shared hosting?

It is shared hosting, yes.

When I do a Google inspection, I find this:
I'm trying to look for 'canonical' in my files, perhaps rel=canonical

But it could also be encoded in a php/js script using an md5 hash.

I've sent a PM with a link to a tool I developed to spot malware on PHP sites.

Best regards,
Ken

p.s. I've used this to help disinfect about 10 sites for folks so far.

you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?

i'm guessing either a webport or sql port injection.

also you have missing http header settings:

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

you should be able to enable these via .htaccess if your running apache.

ConligWX wrote: ↑Fri 30 Apr 2021 11:08 pm you have a serious amount of ports open against your domain. (13 tcp ports out of 1000) do you really need that many?

i'm guessing either a webport or sql port injection.

also you have missing http header settings:

Strict-Transport-Security
X-Frame-Options
X-XSS-Protection

you should be able to enable these via .htaccess if your running apache.

@simon

For me this isn't really helpful. This is a weather enthusiast forum, so most of us don't know about "webport or sql port injection" or even the .htaccess file on our hosting platform. Instead of requiring me to google all this info, why don't you just say what changes need to be made to the .htaccess file or how to restrict port access.

On Shared hosting platforms, website owners seldom have the ability to control/filter ports open to the internet.. that's determined by the hosting company. Usualy, they are conservative and only open ports necessary for operation or maintenance by the website owners. 80/443 for web, 21 for FTP, 22 for SSH, 53(UDP) for DNS, and perhaps some ports for mail (POP/IMAP/SMTP). Normally SQL server direct access is blocked from the internet (thank goodness!), so SQL injection attacks are only successful against poorly designed/configured apps getting stuff jammed into arguments (GET/POST or supplied cookies).

Also, on a shared server, if one of the websites is compromised, and the miscreant is lucky, they might be able to infect multiple sites via the filesystem for the webserver.

The vast majority of personal weather websites using the default weather software template, my, or Wim's PHP templates will not experience the issues unless they install other software that might have poor argument handling. I know that both WIm and I screen/distrust all things arriving via arguments to scripts.

As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.

BTW, the scan of the website showed no back-door RCE portals on the site.

saratogaWX wrote: ↑Sat 01 May 2021 1:18 am As for adding extra headers to .htaccess, I don't really recommend it unless you really know what you are doing.. it's very easy to make an error in .htaccess and cause your site to 500 error everything.

Second that

How depressing that some low life would do this to something as innocuous as a weather site.

My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya!

Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.

RayProudfoot wrote: ↑Sat 01 May 2021 2:33 pmHostPresto does my hosting and seems very good.

That's who I am with.

It's down to the end user to try and keep a website free of anything malicious. Using Google's inspection tool is helpful in finding out if there's any issues, which is how I found mine.

Canonical hacks are becoming more widespread it seems.

Anyway, I have managed to fix it. I requested a new index from Google's bot yesterday, and today it has now put me back in the listings. I always have full website backup's at the ready if something goes really bad, so I can reset my whole site.

@Mapantz, well that’s concerning but as I said in my earlier post I just don’t have those skills and have no real desire to learn them. It’s like saying that because you enjoy driving you should be capable of fixing your car when it goes wrong.

Maybe I have fewer ports open. And after last month’s HDD crash my backup strategy was proven to be reliable.

RayProudfoot wrote: ↑Sat 01 May 2021 2:33 pm How depressing that some low life would do this to something as innocuous as a weather site.

My visitor counter shows China as 7th and Russia as 14th in most visits since May 2009. With over 215,000 visits from 131 countries I’ve yet to suffer this problem. My newest country is Libya!

Is it related to the quality of your hosting companies security? Are we expected to be web security experts regarding all this. I wouldn’t know where to start which is why I leave the hosting to people who know what they’re doing. HostPresto does my hosting and seems very good.

Unfortunately we hope and pray all hosting companies of our data look after it all the time. but that is never the case.

15 days of stats (these are malicious attempts against my own Webserver)

Just shows you no one is safe.

And how do you classify those?
What is the analysis method?

HansR wrote: ↑Sat 01 May 2021 7:59 pm And how do you classify those?
What is the analysis method?

the UDM Pro I have has built in DPI and then IPS/IDS software (Suricata v5.05). The GUI allow you to select various level of sensitivity (1-5) and then customize the threat management threat types (35 of them in total)

Well, nice, I assume this UDF is the abbreviation fo rthe Ubiquity Dream Machine. But also not very common, not cheap (for just a router) and not something for the average meteo hobbyist (neither is Suricata). And apparently you host your own site because this does not help for detection at the hoster I think. Or do I miss something?
It is a techies play toy