My Kutt was hacked! How? Check yours!!
-
I just noticed my Kutt supports account signup from the login page.
I did not think this was in operation.
And the system does not give any option to show users who may have signed up. Bizarre.
How can I check other users ? -
OK I checked postgres user table.
3 dodgy entries in there.
So user sign up was active not disabled as I thought.
Now deleted. -
@timconsidine that's quite concerning! Default-on registration is mentioned in the Kutt docs, maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
Registration
Registration is enabled by default. This can be disabled by settings DISALLOW_REGISTRATION=true in /app/data/env -
@infogulch yes ! Surprised me.
I normally check when installing an app.
But seems I did not on this.Would certainly recommend all other users of Kutt to check
env
in/app/data/
to disallow registrations.Going to open a github issue to set this to disabled as a default.
Kinda ridiculous that I have to do a postgres terminal query to check users.
If they support users, they should support some admin function to view users, delete, block etc etc. -
@infogulch said in My Kutt was hacked! How? Check yours!!:
maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
The Problem is you need to have registration enabled by default, because otherwise you can't sign up on the first run.
Already added a PR for a post install note.
https://git.cloudron.io/cloudron/kutt-app/-/merge_requests/1 -
@timconsidine said in My Kutt was hacked! How? Check yours!!:
Kinda ridiculous that I have to do a postgres terminal query to check users.
If they support users, they should support some admin function to view users, delete, block etc etc.True!
-
@BrutalBirdie thanks! Merged and pushed an update.
-
@doodlemania2 registration is almost always disabled by default. But some apps like Kutt won't allow anyone to sign up, if registration is disabled.
-
@timconsidine this got me too. was looking for a shortener i could iframe into a client dashboard so through kutt up. I don't know how bad or if im still infected but a day or two after setting it up, all my links started to time out - they were being blocked by my browser. at the same time, I lost admin access on a totally different wp site :S i deleted kutt before i thought to investigate.
definitely reminded me as to the importance of security. i still cant get my orginal link shortener (installed on a lamp stack) to work - im worried i got the domains banned or something
-
@plains-digital may not be be as bad as you think
I appealed against some blocks and responded to incoming abuse notifications and got it cleaned up.
Kutt works well so don't be afraid to try it again - just turn off registrations. -
@timconsidine my clients domain is STILL pointing at two dodgy IPs
-
@plains-digital another thread here about Netcup had some comments about cleaning ip addresses.
-
hey @timconsidine this just happened to me today.
There was a couple of dodgy URLS probably because of the registration option I didn't check at install. I have the service down, but I wonder if there's any way to check and remove the spam users before getting the service up. I don't know how to explore the postgres db.
-
@chetbaker with 8.0.0, we have a new app notes feature. The notes get prepopulated with installation checklist.
As for postgresql, it seems to be quite easy to navigate:
db9e43bf3baf7640a8bf1b7316dee0fc89=> \dt List of relations Schema | Name | Type | Owner --------+----------------------+-------+-------------------------------------- public | domains | table | user9e43bf3baf7640a8bf1b7316dee0fc89 public | hosts | table | user9e43bf3baf7640a8bf1b7316dee0fc89 public | ips | table | user9e43bf3baf7640a8bf1b7316dee0fc89 public | knex_migrations | table | user9e43bf3baf7640a8bf1b7316dee0fc89 public | knex_migrations_lock | table | user9e43bf3baf7640a8bf1b7316dee0fc89 public | links | table | user9e43bf3baf7640a8bf1b7316dee0fc89 public | users | table | user9e43bf3baf7640a8bf1b7316dee0fc89 public | visits | table | user9e43bf3baf7640a8bf1b7316dee0fc89 (8 rows) db9e43bf3baf7640a8bf1b7316dee0fc89=> select * from links; db9e43bf3baf7640a8bf1b7316dee0fc89=> select * from users;