Cerberus X website down

Started by MikeHart, July 25, 2020, 10:27:48

Previous topic - Next topic

MikeHart

Hi folks,


thanks to some a..hole, our website is down and I don't know how long it will take to come back, if the database is damaged and so forth.

MikeHart

Of course, this place here is fine too.

iWasAdam

my faith in you and my thoughts - It will take as long as it takes ;)

Derron

Managed hosting = daily backups (most often).
Just in case you did not think of (login and check if you can "restore" something).

Also some hosting setups allow to do daily backups on your own (including mailing stuff to you) depending on what you set up in the past (and forgot about it) you might even have backups here and there.


All the best.

Ron

MikeHart

Ron,


guess what. My ISP does these backups automatically. Webspace AND DB. Webspace is restored, all faulty files removed, passwords changed. The DB will be restored if I notice any damages.


BUT...


for this I need my ISP to reanable the domains/Webspace. They have deactivated ALL my domains. And from what I gathered in the net, that can be a lengthy progress. IF I will succeed.

I am not even able to reroute my domains to a different place. Well I set them too, but nothing happens.

Derron

Hmm this stuff of "deactivation" ... I once received a letter (not an email) from Strato (must be ~10 years ago) in which they informed me that my webhost is used to send out malicious content (someone dropped a backdoor/shell script). I needed to sign that I do whatever is possible for me to have it fixed and that it wont happen anymore.

Normally it is up to you what you do with your webhost (assuming it is "legal" in the hosters country) but they might hav TOC (or AGB ;D) allowing them to suspend your account when they identify "doubtful" actions.


You could meanwhile create a "cerberusx.us.to" domain or another dynamic ip service which points to the IP of your webhost (assume you run a (v)server, not just webspace). In the hosting you needed to setup what website to "show" when using this domain (you can have virtual hosts - so depending on the domain you use another "directory" is served - this way you only have one IP but eg 10 different domains and websites).


Nonetheless: good to have a restored backup. I would urgently check your scripts for vulnerabilities. Find out how they intruded your system (I think of either your forum software or one of its addons). Especially if it was a "automatic hack" (script checked your website, found a vulnerability, exploited it and placed some automatic malicious scripts ----- compared to a manual hack which did some indidivual stuff to you like "greeting all cerberus users" or so). These "hack bots" will just return and do it again if you do not fix the security holes.

bye
Ron

Qube

That's really crappy for some twat to hack a site that has zero benefit to them for doing so. Probably some script kiddy who's got a script looking for that particular forum all over the web so he can boast to his "online friends" that he's hacked a site ( using someone else's tools ). Such a legend :(

Hope you get it all up and running soon again and find / fix the way they got in.

Wonder if we're next  ::)
Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

MikeHart

Quote from: Derron on July 25, 2020, 12:25:34
Hmm this stuff of "deactivation" ... I once received a letter (not an email) from Strato (must be ~10 years ago) in which they informed me that my webhost is used to send out malicious content (someone dropped a backdoor/shell script). I needed to sign that I do whatever is possible for me to have it fixed and that it wont happen anymore.

Normally it is up to you what you do with your webhost (assuming it is "legal" in the hosters country) but they might hav TOC (or AGB ;D ) allowing them to suspend your account when they identify "doubtful" actions.


You could meanwhile create a "cerberusx.us.to" domain or another dynamic ip service which points to the IP of your webhost (assume you run a (v)server, not just webspace). In the hosting you needed to setup what website to "show" when using this domain (you can have virtual hosts - so depending on the domain you use another "directory" is served - this way you only have one IP but eg 10 different domains and websites).


Nonetheless: good to have a restored backup. I would urgently check your scripts for vulnerabilities. Find out how they intruded your system (I think of either your forum software or one of its addons). Especially if it was a "automatic hack" (script checked your website, found a vulnerability, exploited it and placed some automatic malicious scripts ----- compared to a manual hack which did some indidivual stuff to you like "greeting all cerberus users" or so). These "hack bots" will just return and do it again if you do not fix the security holes.

bye
Ron


1. Webhosting, so they control the domain routing. I just can wait or move everything to a different provider and move the domain.
2. They took all domains down because they had to "wegen Mitstörerhaftung verpflichtet".


How automatic it was I don't know. On my webspace I had several folders. One for CX, one for a static website, 2 for Strato hosted Wordpress sites. All domains are routed to the corresponding folders. But another unused domain was routed to the root folder. Anyway, in the root folder there was an updating.php script. The content looks like it is related to wordpress and had some big crytic strings. Then they planted some other php scripts within the cgi-bin and cgi-data folder. One looked the same like this updating.php file. The same files were inside the CX installation. The CX files and wordpress files itself were all untouched.
The none of the sites have a contact form.


According to strato they sending mass spam emails from my webspace. How I don't know. Normally they should have had access to my user login details, or? And wouldn't they need my email passwords for this?

MikeHart

Good news is, I was able to download the forum installation and now the DB. And it looks like no harm was done to it. But that is just judging by a look via phpmyadmin.

3DzForMe

Any publicity s good publicity, opened up my Cerberus 64 today and she compiles a treat 😁👍, Kudos for keeping and evolving MonkeyX spirit. 👍
BLitz3D, IDEal, AGK Studio, BMax, Java Code, Cerberus
Recent Hardware: Dell Laptop
Oldest Hardware: Commodore Amiga 1200 with 1084S Monitor & Blitz Basic 2.1

Qube

QuoteGood news is, I was able to download the forum installation and now the DB. And it looks like no harm was done to it. But that is just judging by a look via phpmyadmin.
That's good news from bad at least.

Also if things look like they're going to take a while then I'm happy to host on our server in your own private corner. Just give me a slap if needed :)
Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

MikeHart

Quote from: 3DzForMe on July 25, 2020, 20:06:43
Any publicity s good publicity, opened up my Cerberus 64 today and she compiles a treat 😁👍, Kudos for keeping and evolving MonkeyX spirit. 👍
That is good to hear.

MikeHart

Quote from: Qube on July 26, 2020, 02:08:39
QuoteGood news is, I was able to download the forum installation and now the DB. And it looks like no harm was done to it. But that is just judging by a look via phpmyadmin.
That's good news from bad at least.

Also if things look like they're going to take a while then I'm happy to host on our server in your own private corner. Just give me a slap if needed :)


Thanks buddy, lets wait and see what Strato does.

Amon

I hope everything gets back online. Cerberus-X is a wonder to use thanks to mike. The website and forums were perfectly maintained and the community has some really cool members.

I never understood why people deface/hack websites. I guess the only logical conclusion would be the these types of people suffer from small penis problems.

Derron

#14
Strato is a mess these days ... we vserver users had veeeeery slow IO sometimes. So slow that processes started hanging in dead loops and whatever, the guys of holarse linux gaming (running a multitude of game servers and the likes - on strato) had even more serious issues :D.
Strato then finally announced publically (1 or 2 months ago) that they have issues which they investigate .... wow ... you know I opened a ticket for this in last year ? and since then reinstalled my server (assumed a malicious script hiding from me), rebooted every 1-2 weeks to resolve issues for a while as even the mailserver stopped working randomly.

They "fixed" it then (after the public announce) and since then it "almost" works, I just get randomly Apache2 no longer responding (mail server works, plex as admin tool still works, ... ftp and all works, just apache is running but no longer reacting, logs do not show any error). Yeah, as the IO stuff is creeping back I assume they will "fix" it later "again".



@ Mitstörerhaftung
Yeah, this is something what I described, needed to send a letter (maybe they even accepted a "Fax").

Surely they used a vulnerability in either wordpress, wordpress plugins or forum, forum plugins. Once they have this (most often an upload or remote execution vulnerability) they place scripts and they allow to execute whatever they want (according to the restrictions of your webhost).

So similar to your forum or wordpress installation these scripts could send mails .. and mails .... and mails.


Also take this into consideration: your domains (the ones they used for spamming) will now be listed on zenhaus and other "black lists". Other webservers (like mine) contact these black lists when they receive a mail of your domain ... and if the black lists contain it, they (the mails) get rejected.

It takes a while until all the lists remove you from the active spammer list. for some you can (or even must) apply to be no longer "a spammer".

https://mxtoolbox.com/blacklists.aspx
http://www.anti-abuse.org/multi-rbl-check
....
(both do not list you ... which is GOOD!)


Writing this just in case your websites get reactivated and you wonder why eg some people cannot "register".

Also ensure: do only use forum addons which gets updates, use less but secure ones. Same for wordpress. The forum software and word press core are often well maintained (but also target of vulnerability checks ... :D) but the addons/extra modules by 3rd party are checked too while not maintained so properly in all cases.



@ why they hack
Bots ... automatic spam host take overs.


@ Qube
As good as your offer is: what happens if his websites get taken over again? Your ISP might approach to you for spamming - and even close down your line (depends on TOC of course - and your local laws). Take this into consideration.


@ MIKE
What I suggest to you is the following: move your domain to a different hosting service. First of all: domains are cheaper elsewhere than with strato, 1und1 ... etc
Second: you can just redirect your domain to a different IP / website easily.
so instead of https://h123443543.stratoserver.net (or similar) you point to a different spot on the web. Dunno if that is really feasible with "webspace" packages. I think Strato is one of the hosters now allowing "external Domains" ("Aufschaltung externer Domains"). And if they offered it I am sure they would ask some money for it.

All the cheaper hosts (https://wint.global  https://www.netcup.de) allow such stuff but might struggle with other issues. Yet having "domains" on A and "space/servers" on B allows to react on emergency cases like "B" shutting down your services for violating the TOC (eg by being hacked - or by doing dumb stuff on your own).



bye
Ron