Question Possible hack into my hosting account
- potain
- Topic Author
- Offline
- Junior Member
Hi
My website has suddenly been suspended by my provider and fearing a hack of some sort I contacted him and he replied with the following reasons:
" it was a block from spamhaus on the server IP address (not your individual IP, just the shared web hosting IP for all domains).
We found another user that was sending out spam emails and assumed it was them, corrected the issue, requested a removal of the IP which was successful.
There was then another block the next day, for the same reason. So we investigated further and found traffic from your account."
" The listing of the IP is resolved (and now showing clear) because removal was successful. However the issue on your account isn’t (only because the account is suspended)
He then asks " Does your program (webtrees) make any outbound connections that you are aware of?
So we just need further information about your program and webtrees before we progress.
Also if your site has some sort of login (Eg a login to webtrees) this could’ve been compromised too."
As far as I know the answer is no but thought it best to check with you.
I haven't accessed the site for a while (2nd of march) so it's not me spamming but now can't log into webtrees to check the web site logs, to change the admin password or check emails - nor log into CPanel.
Any help, suggestion will be very welcome with thanks in advance.
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
Yes:
* Once a day, it makes a connection to dev.webtrees.net to check for updates.
* If there are pending changes or new user registrations or contact messages, then it connects to an SMTP server to send mail.
> Also if your site has some sort of login (Eg a login to webtrees) this could’ve been compromised too."
I guess that's possible. You could compare the files on your site with a "clean" copy from webtrees.zip, and look for differences.
Of course, a compromise could have come from other software (or other users) on the server.
> found traffic from your account
Details, logs, etc. are always useful. Otherwise we can only guess and speculate.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- potain
- Topic Author
- Offline
- Junior Member
I've forwarded your reply to the provider and hopefully he will provide some details of the incidents and rule out webtrees involvement at all in them.
It is OK if I use your greg@subaqua.co.uk account to forward anything he sends ?
Much obliged, potain.
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
Sure!
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Andreas
- Offline
- Premium Member
already two weeks ago my provider told me, that my two webtrees installations were infected and vulnarable.
Some time before we noticed that the websites were very slow and failed often.
The 20 march the provider proposed me to reinstall a new fresh CMS to the two sites and change my passwords.
So I did and I thought that's OK.
Today I noticed in the admin paneel the following error message in both websites
Both MAUPILLÉ & RAUHUT families are using webtrees V2.1.18
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
> So I did and I thought that's OK.
TIP: Before you do this:
* download all the webtrees files from your server.
* download a "clean" copy of code from github.com
Compare the files to see if any have been modified.
(Meld is a good tool for this meldmerge.org )
If the files are the same, then your site has not been hacked.
If the files are different, then look on the server to see the timestamp that it was changed.
Then look at your logs to see what happened at that time.
If there are any suspicious requests at this time, then it might explain the cause.
If there are no web requests at that time, then perhaps it was caused by another site on the same server.
> Today I noticed in the admin paneel the following error message in both websites
Can you give me the timestamp for this message and the IP address of your server.
I can check if the request reached my server.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Andreas
- Offline
- Premium Member
But it's too late. I refreshed the files without to compare with the old modified ones.
You asked me:
Can you give me the timestamp for this message and the IP address of your server.
Please tell me how to do so. Where will I find these informations ?
The time must be the moment I log into the admin paneel and the IP is the IP of wt.rauhut.eu = 87.98.247.17
Both MAUPILLÉ & RAUHUT families are using webtrees V2.1.18
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
So I guess the HTTP request fails before it reaches dev.webtrees.net.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Andreas
- Offline
- Premium Member
But I think this error message comes from the webtrees request for new version, which fails.
The website is using the last version of webtrees.
Both MAUPILLÉ & RAUHUT families are using webtrees V2.1.18
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
The requests stop on 23 March 2023.
This IP address belongs to OVH, and I can see requests from six different webtrees sites at the same IP address.
I guess your site is on a shared host.
The other five sites continue to make requests until today.
So, if other sites at the same IP address are making requests, but your site is not, then I guess the issue is with your site?
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- Andreas
- Offline
- Premium Member
Now the error on my webtrees pages disappeared.
Thanks for your information and help.
Both MAUPILLÉ & RAUHUT families are using webtrees V2.1.18
Please Log in or Create an account to join the conversation.
- potain
- Topic Author
- Offline
- Junior Member
Sorry for the delay in getting back to you and this lengthy explanation.
It seems that the hackers were content with creating a few email accounts for spamming. How they penetrated the hosting’s defences is a mystery, it looks like the webtrees installation was not affected. Other issues have arisen though after erasing the email accounts and the suspension was lifted.
Another suspension later and the provider moving the the files to a different server and restoring them from a recent backup the home page would not open (by was of explanation, I have a landing page which I kept from when the site was under construction with a link to the genealogy installation within).
For some reason the page would not load but the link did and as the home page link with Google, the landing page not listed. Opened htaccess file and index.html was properly listed . I presumed that since the page was not opening it was not being indexed by search engines. Very strange.
I thought that it had to do with HTTPS redirection, as Firefox kept asking to use the non hhtps connection. Found the setting in my server account to Force HTTPS Redirect and enabled it. The home page came back to life but the genealogy site which had been working came back with a notice from Firefox of too many redirects that will never revolve. Very confusing.
Neither I or the provider could work out what was going on and then this notice appeared when connecting to the genealogy pages and is still the case :
This website is temporarily unavailable.
Oops! The webserver is unable to connect to the database server. It could be busy, undergoing maintenance or simply broken. You should try again in a few minutes or contact the website administrator.
could not find driver
The database reported the following error message:
could not find driver
If you are the website administrator, you should check that:
the database connection settings in the file ‘/data/config.ini.php’ are still correct – checked - correct
the folder ‘/data’ and the file ‘/data/config.ini.php’ have access permissions that allow the webserver to read them – checked - correct
you can connect to the database using other applications, such as phpmyadmin - checked – phpmyadmin connects and db opens. OK
With heaps of these in the public_html error.log:
[04-Apr-2023 04:03:12 UTC] PHP Warning: PHP Startup: Unable to load dynamic library 'pdo_mysql.so' (tried: /opt/alt/php72/usr/lib64/php/modules/pdo_mysql.so (/opt/alt/php72/usr/lib64/php/modules/pdo_mysql.so: cannot open shared object file: No such file or directory), /opt/alt/php72/usr/lib64/php/modules/pdo_mysql.so.so (/opt/alt/php72/usr/lib64/php/modules/pdo_mysql.so.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
The provider says that the only thing he changed - “was an update to the PHP version”.
So i am taking the advice on the notice : If you cannot resolve the problem yourself, you can ask for help on the forums at webtrees.net.
———-
BTW – only just came across the HTTPS instructions in the Administrator > Security documentation pages and have added the base_url to my data/config.ini.php file, disabled Force HTTPS Redirect and made sure the PHP version is 7.2 – makes not difference.
I suspect that a re installation of webtrees might fix it but don’t know how to go about doing it as the Installing webtrees doc does not provide instructions for re-installation it.
Actually can you please let me know how without access to the web pages how I can check through cPanel what version of webtress is installed? webtrees-2.0.25.zip is listed for download but can’t find it on my muter so it might be an earlier version. If so upgrading to 2.0.25 will be do the trick.
Thanks for listening and any he;p and assistance will be much appreciated.
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.
- norwegian_sardines
- Offline
- Platinum Member
- Posts: 3137
Ken
Please Log in or Create an account to join the conversation.
- potain
- Topic Author
- Offline
- Junior Member
"Ask your provider what version of PHP they upgraded to. It is probably 8.x and if so ask them to down grade to v7.4 or install a newer version of webtrees.
Thanks norwegian sardines.
He said that he had updated the current version not upgraded it. See the The error.log at the time [04-Apr-2023 04:03:12 UTC] it reports it as php72.
Yesterday after he said that he had tried a few other versions this is what was reported when trying to access the site:
PHP 7.4.33 detected.
webtrees 1.7 requires PHP 5.3 - 7.3.
potain in post 99196 2 hours 42 minutes ago post #11 wrote:
"disabled Force HTTPS Redirect and made sure the PHP version is 7.2 – makes not difference."
Neither does using PHP 7.3.
Cheers
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.
- fisharebest
- Offline
- Administrator
I guess that your host has upgraded to a newer version of PHP, and that they did not install the php-pdo library for this version of PHP.
php-pdo allows PHP to connect to databases.
You must install PHP libraries again for each version of PHP.
Suggestion - temporarily remove the file data/config.ini.php
Now when you start webtrees, you will see the setup wizard.
This will give you a list of missing libraries.
Now restore the data/config.ini.php
> a notice from Firefox of too many redirects that will never revolve
If you posted the URL where I could see this, I might be able to tell you why it is happening.
Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net
Please Log in or Create an account to join the conversation.
- potain
- Topic Author
- Offline
- Junior Member
From Weird To Jaw Dropping Puzzling
After sending your suggestion to my host this is what he replied: " went to go check the PHP extension, and it seems to be active. But also when checking the site, it's loading properly now," How? - A definite contender for inclusion in one of William Shatner's The UnXplained episodes.
Still very grateful and relieved that it's working again, however using Firefox and after signing in via the link on the home page (http:_//www.mysite.com/genealogy/index.php?ctype=gedcom&ged=tree1) I am taken to the home page's (http:_ //www.mysite.com/genealogy/) Index of /genealogy page and have to press the back button to view the actual logged in page, Any idea why this is now occurring when it never did before and how to fix it?
- Added screenshot of Index of /genealogy page signing in takes me to - ok for me as I have figured out that using the back button takes me to the logged in page but any other user would be totally confused.
You might recall that when putting the site together I chose for privacy / security reasons to use a phantom tree for visitors (the link above) whilst only logged in, registered users are given the link and access to the actual tree. I am glad to have made that decision and I sincerely hope that it offered me an extra layer of protection against their activities since if hackers had penetrated the site they would hopefully only have had access to an empty tree and GED file.
My lack of programming skills has dictated my recalcitrance to upgrade.to version 2 and how to replicate this, the custom theme and code adaptations made. Is this still a viable option to try and deploy with version 2?
HTTPS > fisharebest quote: " If you posted the URL where I could see this, I might be able to tell you why it is happening. "
Thank you and I will but what still baffles me is this:
- Don’t enable HTTPS-Only Mode enabled in Firefox settings
data/config.ini.php file - base_url=" www.mysite.com/genealogy " => https_://www.mysite.com/
Server Force HTTPS Redirect > OFF
http_://www.mysitecom/genealogy/index.php?ctype=gedcom&ged=tree1 -> now mysteriously working - Don’t enable HTTPS-Only Mode enabled in Firefox settings
data/config.ini.php file - base_url="https_://www.mysite.com/genealogy" => https-://www.mysite.com/
Server Force HTTPS Redirect > ON
http_://www.mysitecom/genealogy/index.php?ctype=gedcom&ged=tree1 -> Firefox has detected that the server is redirecting the request for this address in a way that will never complete.
As this is the loggin page a secure connection is more or less essential,
Is there a rogue setting on the hosting server that's causing this to occur?
Thanks muchly again.
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.
- potain
- Topic Author
- Offline
- Junior Member
After pointing out to my provider that FF's "the server is redirecting the request for this address in a way that will never complete." only occurs after I set the Force HTTPS Redirect to ON in my account's cPanel Tools section, I asked him to investigate. He has taken over from his side after asking me to set it to OFF. I post his query and would be very grateful for, would welcome any suggestions / possibilities to report back to him:
"So the SSL certificate is now valid and working on the base URL mysite.com
But the actual genealogy site part seems to be forcing a redirect to both HTTP and ‘www.’
The www. Is not needed. So if you can find where webtrees is possibly forcing the www, this could be another factor to the issues. I tried to set a .htaccess force HTTPs rule, but it redirects back to www.
Is there somewhere that webtrees could force a redirect to www. ?"
With regards to the other point (possibly related) where after signing in, the Index of /genealogy page was loaded and "back buttoning" to open the tree1 welcome page, very confusingly it now opens the 'My page" page with this time http:_//www.mysite.com/genealogy/index.php?ctype=gedcom&ged=tree1) in the address bar - an improvement but still having to hit the back button to get to the tree's welcome page.
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.
- potain
- Topic Author
- Offline
- Junior Member
Fish are absolutely and without reservation the very best when it comes to altruistic, expert help, assistance and problem solving, along with the same unselfish, exeptional service from my hosting provider.
Thank you indeed, much appreciated.
potain,
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.
- hermann
- Offline
- Elite Member
Hermann
Designer of the custom module "Extended Family"
webtrees 2.1.21 (all custom modules installed, PHP 8.3.12, MariaDB 10.6) @ ahnen.hartenthaler.eu
Please Log in or Create an account to join the conversation.
- potain
- Topic Author
- Offline
- Junior Member
Rather than starting a new thread this sort of relates to hacking attempts.
In the last 2 weeks my admin email account has been flooded by someone trying to register new users with fake credentials and from different ip addresses such as:
Username tdzDqTCsrHJhYRGa
Real name EFhkWOPAUlcKif
E-mail address valentins5etp@outlook.com
Comments ezGhmNCSQdUrqkv
My hosting provider says:
It doesn't necessarily mean it's a hacking attempt, but certainly a spamming of registrations. Do you have a registration captcha or anti-bot tool? The emails will keep on coming if they keep on registering, so you'll probably need a way to prevent automated/bot registrations.
Any ideas on how to stop this spamming?
Novice in all webtrees matters and in every respect
Please Log in or Create an account to join the conversation.