Cerberus X website down

Started by MikeHart, July 25, 2020, 10:27:48

Previous topic - Next topic

MikeHart

Thanks Ron for the tips.

I will wait a few more days and then, if nothing happens, move everything to a different ISP. Wordpress I will never touch again. Imho you can't make it secure for the functionality it needs these days. Back to static websites it is.
The forum software is Xenforo, but it doesn't use the latest update as the license ran out. It is one version behind. So far no issues with that part. Might migrate it to MYBB.
Definitely I learned my lesson here. I will enable SFTP only when needed and do a write block on all parts of the webspace where no data is stored. In the forum these are the attachments of posts and avatars.

Derron

Of course you could remove write access to certain directories - but directory traversal attacks come from security vulnerabilities in "backends" (admin tools of stuff like a forum) or upload scripts ("user avatar upload") and the likes.

There are plenty things "to do" - eg having your scripts not running in "htdocs" etc (which is default for webspace). In most cases you can just fly "under the radar" - means you are just not popular enough to get attacked by "human beings". You only get attacked by scripts - so ensure you keep your stuff updated, hide the version of the forum software / word press (as they use it to identify - amongst blind tries - what vulnerabilities can be used, and to "look via google" who uses software version x.y.z).

If you move to a vserver/server you need to care for even more (failban to avoid ssh-logins, email server setup/config to not get rejected by others) ... securing webspace in most cases just means to patch the holes in the used software.
Static CMS is one way to go - you could even host this via github then (as a git page). For forum... yeah, use what you think suits best and is secure enough.

Then there is not much more you can do -- ok, keep your passwords non-leaked and non-trivial (login: cerberus password: cerberus).


bye
Ron

MikeHart

We should be up and running soon, Strato has informed me today, that they checked the webspace and activated the access to it. As right now our domain points to SB I have reset it back to my webspace and I am waiting that the change goes into effect.


Thank you for your patience.

MikeHart

Ok, our domain points now back to my webspace!!!  ;D

Qube

Mac Studio M1 Max ( 10 core CPU - 24 core GPU ), 32GB LPDDR5, 512GB SSD,
Beelink SER7 Mini Gaming PC, Ryzen 7 7840HS 8-Core 16-Thread 5.1GHz Processor, 32G DDR5 RAM 1T PCIe 4.0 SSD
MSI MEG 342C 34" QD-OLED Monitor

Until the next time.

Xaron

#20
I could update Xenforo if you like? (edit: but apparently I'm not an admin anymore, which ofc makes sense if not active there ;))

Out of curiosity: Which wordpress plugin was the security hole? Because wordpress itself (if up to date) is pretty rocksolid.

MikeHart

Quote from: Xaron on July 30, 2020, 14:47:08
I could update Xenforo if you like? (edit: but apparently I'm not an admin anymore, which ofc makes sense if not active there ;) )
Yup, that was the reason as you didn't want to be part of the CX development anymore and concentrate on your games. Totally understandable.
Personally I think Xenforo was not the entry point. The automatic rejection of spammers signing up works great so far.
Also updating would mean new licenses to Xenforo, Resources, Media lib and the portal.
I would rather switch to a different forum.

Quote from: Xaron on July 30, 2020, 14:47:08Out of curiosity: Which wordpress plugin was the security hole? Because wordpress itself (if up to date) is pretty rocksolid.

I can't really tell you which one or  if any at all. Besides some DSGVO stuff and page builder, nothing out of the ordinary. All updated to the latest versions.

Strato couldn't really tell how the malicious scripts were planted. They also suggested that our PCs were maybe infected with a keylogger but MS Defender and 2 virus checker brought up nothing.
Maybe my wife had comments open on her blog, I don't know.
I have wiped everything besides the forum from my webspace and will part ways with Strato soon. Still deciding were to go.

iWasAdam

great news :) Has it allowed you to 'find the holes'? where the little beastie got in?

MikeHart

Like i said before, i don't know. Because of that we nuked our wordpress sites, an old static website , removed the ftp and sftp access, and put a write block on everything that shouldn't be written too. Changed all passwords.

Derron

I doubt passwords were the problem
I doubt static websites were the problem


Typical access via:
- google search for specific software versions
- - automatically "pen testing" for the vulnerabilities
- - breaching in automatically
- - automatically deploying the "shell script"
- - adding the list to the shell script to the bot army list
- - get automatically controlled via "remote" as all the other bot net slaves ...

Sometimes they also manipulate hosted website scripts to contain stuff to automatically "refetch" the shell script in case of being deleted.
If they do not want to use your host as bot they might even have something installed which manipulates every html, htm, php, ... file to contain iframes etc (this was happening to me some years ago ... leading to a lifetime ban of google adsense and a letter from strato requesting me to explain...)


Next to "software specific" testing they also check stuff for common "names" ... like "contact.php" or similar (just in case you removed version tags etc). Scripts can pretty good identify forms in websites and then try to attack them - by trying to exploit non-sanitized data ... so eg.

myhost.tld/contact.php?email=mymail@host.tld'); DROP TABLE importantDB;

might create issues if you do not properly sanitize data. Most modern code does handle all this stuff - but sometimes you simply forgot about an old script lurking around somewhere (in my case an forum-image-signature-generator was error prone ...)


bye
Ron

MikeHart

We have no contact form. The only access would be throught a post or reply. Xenforo itself does a file healthy check. All files of our versions are like the should be. If it gets attacked again, that forum gets nuked and we move to discord.

Derron

Contact form was just a sample. For forums it is "post.php" (or other stuff) which gets "checked" (penetration testing) if they accept invalid input to break sanitization efforts.

Forums eg allow "bbcode" (or markup or ...) and if this is not done properly, you could inject html code to attack your visitors with malicious javascript stuff (XSS Attacks).

But all in all it does not matter now as you are only on "webspace" so you do not have log files which would show the accesses to your stuff and the parameters they tried.


bye
Ron

Xaron

Xenforo is one of the most well designed and secured forum software out there. It's done by the good old vBulletin 3.x devs which left the company the years back to found Xenforo. And I still think that discord can be a nice addition but never replaces a forum, it's a chat with all pros and cons and actually Cerberus ones had a discord...

MikeHart

I agree with you Martin but if i have to constantly fight this shit for a hobby project, then i go the way that is less painfull. Many OSS projects support their user on Discord these days. Forge Engine, Raylib, FNA to name a few.