Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Kutt
  3. My Kutt was hacked! How? Check yours!!

My Kutt was hacked! How? Check yours!!

Scheduled Pinned Locked Moved Kutt
17 Posts 7 Posters 2.8k Views 7 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • timconsidineT Offline
      timconsidineT Offline
      timconsidine
      App Dev
      wrote on last edited by
      #1

      I have a Kutt implementation.
      Actually it only had ONE link in use.
      Tonight I received a take-down notice because a malicious link had been inserted into the system's database.
      Along with 4 others.

      I have :

      • deleted the links
      • reset user password
      • ensured API access is not on.

      But how did they get the 5 bad links into the database??
      I tried to check the access.log for apache and nginx.
      But they are zero-length. Is logging not automatic ?

      Questions :

      • how do I check how they did this ?
      • any other remedial or preventive action I should take ?
      timconsidineT P 2 Replies Last reply
      0
      • timconsidineT timconsidine

        I have a Kutt implementation.
        Actually it only had ONE link in use.
        Tonight I received a take-down notice because a malicious link had been inserted into the system's database.
        Along with 4 others.

        I have :

        • deleted the links
        • reset user password
        • ensured API access is not on.

        But how did they get the 5 bad links into the database??
        I tried to check the access.log for apache and nginx.
        But they are zero-length. Is logging not automatic ?

        Questions :

        • how do I check how they did this ?
        • any other remedial or preventive action I should take ?
        timconsidineT Offline
        timconsidineT Offline
        timconsidine
        App Dev
        wrote on last edited by
        #2

        I just noticed my Kutt supports account signup from the login page.
        I did not think this was in operation.
        And the system does not give any option to show users who may have signed up. Bizarre.
        How can I check other users ?

        timconsidineT 1 Reply Last reply
        0
        • timconsidineT timconsidine

          I just noticed my Kutt supports account signup from the login page.
          I did not think this was in operation.
          And the system does not give any option to show users who may have signed up. Bizarre.
          How can I check other users ?

          timconsidineT Offline
          timconsidineT Offline
          timconsidine
          App Dev
          wrote on last edited by
          #3

          OK I checked postgres user table.
          3 dodgy entries in there.
          So user sign up was active not disabled as I thought.
          Now deleted.

          infogulchI 1 Reply Last reply
          1
          • timconsidineT timconsidine

            OK I checked postgres user table.
            3 dodgy entries in there.
            So user sign up was active not disabled as I thought.
            Now deleted.

            infogulchI Offline
            infogulchI Offline
            infogulch
            wrote on last edited by
            #4

            @timconsidine that's quite concerning! Default-on registration is mentioned in the Kutt docs, maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.

            Registration
            Registration is enabled by default. This can be disabled by settings DISALLOW_REGISTRATION=true in /app/data/env

            timconsidineT 1 Reply Last reply
            2
            • infogulchI infogulch

              @timconsidine that's quite concerning! Default-on registration is mentioned in the Kutt docs, maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.

              Registration
              Registration is enabled by default. This can be disabled by settings DISALLOW_REGISTRATION=true in /app/data/env

              timconsidineT Offline
              timconsidineT Offline
              timconsidine
              App Dev
              wrote on last edited by
              #5

              @infogulch yes ! Surprised me.
              I normally check when installing an app.
              But seems I did not on this.

              Would certainly recommend all other users of Kutt to check env in /app/data/ to disallow registrations.

              Going to open a github issue to set this to disabled as a default.

              Kinda ridiculous that I have to do a postgres terminal query to check users.
              If they support users, they should support some admin function to view users, delete, block etc etc.

              BrutalBirdieB 2 Replies Last reply
              4
              • timconsidineT timconsidine

                @infogulch yes ! Surprised me.
                I normally check when installing an app.
                But seems I did not on this.

                Would certainly recommend all other users of Kutt to check env in /app/data/ to disallow registrations.

                Going to open a github issue to set this to disabled as a default.

                Kinda ridiculous that I have to do a postgres terminal query to check users.
                If they support users, they should support some admin function to view users, delete, block etc etc.

                BrutalBirdieB Offline
                BrutalBirdieB Offline
                BrutalBirdie
                Partner
                wrote on last edited by
                #6

                @infogulch said in My Kutt was hacked! How? Check yours!!:

                maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.

                The Problem is you need to have registration enabled by default, because otherwise you can't sign up on the first run.

                Already added a PR for a post install note.
                https://git.cloudron.io/cloudron/kutt-app/-/merge_requests/1

                Like my work? Consider donating a drink. Cheers!

                girishG 1 Reply Last reply
                6
                • timconsidineT timconsidine

                  @infogulch yes ! Surprised me.
                  I normally check when installing an app.
                  But seems I did not on this.

                  Would certainly recommend all other users of Kutt to check env in /app/data/ to disallow registrations.

                  Going to open a github issue to set this to disabled as a default.

                  Kinda ridiculous that I have to do a postgres terminal query to check users.
                  If they support users, they should support some admin function to view users, delete, block etc etc.

                  BrutalBirdieB Offline
                  BrutalBirdieB Offline
                  BrutalBirdie
                  Partner
                  wrote on last edited by
                  #7

                  @timconsidine said in My Kutt was hacked! How? Check yours!!:

                  Kinda ridiculous that I have to do a postgres terminal query to check users.
                  If they support users, they should support some admin function to view users, delete, block etc etc.

                  True!

                  Like my work? Consider donating a drink. Cheers!

                  1 Reply Last reply
                  2
                  • BrutalBirdieB BrutalBirdie

                    @infogulch said in My Kutt was hacked! How? Check yours!!:

                    maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.

                    The Problem is you need to have registration enabled by default, because otherwise you can't sign up on the first run.

                    Already added a PR for a post install note.
                    https://git.cloudron.io/cloudron/kutt-app/-/merge_requests/1

                    girishG Offline
                    girishG Offline
                    girish
                    Staff
                    wrote on last edited by
                    #8

                    @BrutalBirdie thanks! Merged and pushed an update.

                    Also, https://docs.cloudron.io/apps/kutt/#registration

                    doodlemania2D 1 Reply Last reply
                    1
                    • girishG girish

                      @BrutalBirdie thanks! Merged and pushed an update.

                      Also, https://docs.cloudron.io/apps/kutt/#registration

                      doodlemania2D Offline
                      doodlemania2D Offline
                      doodlemania2
                      App Dev
                      wrote on last edited by
                      #9

                      @girish Perhaps we should consider looking at all apps across the portfolio for open signups (like VaultWarden which bit me a few weeks back) and disable them as part of our app onboarding?

                      girishG 1 Reply Last reply
                      2
                      • doodlemania2D doodlemania2

                        @girish Perhaps we should consider looking at all apps across the portfolio for open signups (like VaultWarden which bit me a few weeks back) and disable them as part of our app onboarding?

                        girishG Offline
                        girishG Offline
                        girish
                        Staff
                        wrote on last edited by
                        #10

                        @doodlemania2 registration is almost always disabled by default. But some apps like Kutt won't allow anyone to sign up, if registration is disabled.

                        1 Reply Last reply
                        2
                        • timconsidineT timconsidine

                          I have a Kutt implementation.
                          Actually it only had ONE link in use.
                          Tonight I received a take-down notice because a malicious link had been inserted into the system's database.
                          Along with 4 others.

                          I have :

                          • deleted the links
                          • reset user password
                          • ensured API access is not on.

                          But how did they get the 5 bad links into the database??
                          I tried to check the access.log for apache and nginx.
                          But they are zero-length. Is logging not automatic ?

                          Questions :

                          • how do I check how they did this ?
                          • any other remedial or preventive action I should take ?
                          P Offline
                          P Offline
                          plains.digital
                          wrote on last edited by
                          #11

                          @timconsidine this got me too. was looking for a shortener i could iframe into a client dashboard so through kutt up. I don't know how bad or if im still infected but a day or two after setting it up, all my links started to time out - they were being blocked by my browser. at the same time, I lost admin access on a totally different wp site :S i deleted kutt before i thought to investigate.

                          definitely reminded me as to the importance of security. i still cant get my orginal link shortener (installed on a lamp stack) to work - im worried i got the domains banned or something 😞

                          timconsidineT 1 Reply Last reply
                          2
                          • P plains.digital

                            @timconsidine this got me too. was looking for a shortener i could iframe into a client dashboard so through kutt up. I don't know how bad or if im still infected but a day or two after setting it up, all my links started to time out - they were being blocked by my browser. at the same time, I lost admin access on a totally different wp site :S i deleted kutt before i thought to investigate.

                            definitely reminded me as to the importance of security. i still cant get my orginal link shortener (installed on a lamp stack) to work - im worried i got the domains banned or something 😞

                            timconsidineT Offline
                            timconsidineT Offline
                            timconsidine
                            App Dev
                            wrote on last edited by
                            #12

                            @plains-digital may not be be as bad as you think
                            I appealed against some blocks and responded to incoming abuse notifications and got it cleaned up.
                            Kutt works well so don't be afraid to try it again - just turn off registrations.

                            P 1 Reply Last reply
                            1
                            • timconsidineT timconsidine

                              @plains-digital may not be be as bad as you think
                              I appealed against some blocks and responded to incoming abuse notifications and got it cleaned up.
                              Kutt works well so don't be afraid to try it again - just turn off registrations.

                              P Offline
                              P Offline
                              plains.digital
                              wrote on last edited by
                              #13

                              @timconsidine my clients domain is STILL pointing at two dodgy IPs 😞

                              timconsidineT 1 Reply Last reply
                              0
                              • P plains.digital

                                @timconsidine my clients domain is STILL pointing at two dodgy IPs 😞

                                timconsidineT Offline
                                timconsidineT Offline
                                timconsidine
                                App Dev
                                wrote on last edited by
                                #14

                                @plains-digital another thread here about Netcup had some comments about cleaning ip addresses.

                                1 Reply Last reply
                                1
                                • chetbakerC Offline
                                  chetbakerC Offline
                                  chetbaker
                                  wrote on last edited by
                                  #15

                                  hey @timconsidine this just happened to me today.

                                  There was a couple of dodgy URLS probably because of the registration option I didn't check at install. I have the service down, but I wonder if there's any way to check and remove the spam users before getting the service up. I don't know how to explore the postgres db.

                                  1 Reply Last reply
                                  0
                                  • girishG Offline
                                    girishG Offline
                                    girish
                                    Staff
                                    wrote on last edited by
                                    #16

                                    @chetbaker with 8.0.0, we have a new app notes feature. The notes get prepopulated with installation checklist.

                                    As for postgresql, it seems to be quite easy to navigate:

                                    db9e43bf3baf7640a8bf1b7316dee0fc89=> \dt
                                                                  List of relations
                                     Schema |         Name         | Type  |                Owner                 
                                    --------+----------------------+-------+--------------------------------------
                                     public | domains              | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                     public | hosts                | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                     public | ips                  | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                     public | knex_migrations      | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                     public | knex_migrations_lock | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                     public | links                | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                     public | users                | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                     public | visits               | table | user9e43bf3baf7640a8bf1b7316dee0fc89
                                    (8 rows)
                                    
                                    db9e43bf3baf7640a8bf1b7316dee0fc89=> select * from links;
                                    db9e43bf3baf7640a8bf1b7316dee0fc89=> select * from users;
                                    
                                    1 Reply Last reply
                                    0
                                    • chetbakerC Offline
                                      chetbakerC Offline
                                      chetbaker
                                      wrote on last edited by
                                      #17

                                      Thanks @girish. Just for the record, the command to remove entries is (after identified the users on the users table using the command @girish shared (in my case 4, 5, 6 and 7):

                                      DELETE FROM users WHERE id IN (4, 5, 6, 7);
                                      
                                      1 Reply Last reply
                                      1
                                      Reply
                                      • Reply as topic
                                      Log in to reply
                                      • Oldest to Newest
                                      • Newest to Oldest
                                      • Most Votes


                                        • Login

                                        • Don't have an account? Register

                                        • Login or register to search.
                                        • First post
                                          Last post
                                        0
                                        • Categories
                                        • Recent
                                        • Tags
                                        • Popular
                                        • Bookmarks
                                        • Search