My Kutt was hacked! How? Check yours!!
-
I have a Kutt implementation.
Actually it only had ONE link in use.
Tonight I received a take-down notice because a malicious link had been inserted into the system's database.
Along with 4 others.I have :
- deleted the links
- reset user password
- ensured API access is not on.
But how did they get the 5 bad links into the database??
I tried to check the access.log for apache and nginx.
But they are zero-length. Is logging not automatic ?Questions :
- how do I check how they did this ?
- any other remedial or preventive action I should take ?
-
I just noticed my Kutt supports account signup from the login page.
I did not think this was in operation.
And the system does not give any option to show users who may have signed up. Bizarre.
How can I check other users ? -
OK I checked postgres user table.
3 dodgy entries in there.
So user sign up was active not disabled as I thought.
Now deleted. -
@timconsidine that's quite concerning! Default-on registration is mentioned in the Kutt docs, maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
Registration
Registration is enabled by default. This can be disabled by settings DISALLOW_REGISTRATION=true in /app/data/env -
@infogulch yes ! Surprised me.
I normally check when installing an app.
But seems I did not on this.Would certainly recommend all other users of Kutt to check
envin/app/data/to disallow registrations.Going to open a github issue to set this to disabled as a default.
Kinda ridiculous that I have to do a postgres terminal query to check users.
If they support users, they should support some admin function to view users, delete, block etc etc. -
@infogulch said in My Kutt was hacked! How? Check yours!!:
maybe it deserves to be highlighted more prominently in the install notes, or the default adjusted.
The Problem is you need to have registration enabled by default, because otherwise you can't sign up on the first run.
Already added a PR for a post install note.
https://git.cloudron.io/cloudron/kutt-app/-/merge_requests/1 -
@timconsidine said in My Kutt was hacked! How? Check yours!!:
Kinda ridiculous that I have to do a postgres terminal query to check users.
If they support users, they should support some admin function to view users, delete, block etc etc.True!
-
@BrutalBirdie thanks! Merged and pushed an update.
-
@girish Perhaps we should consider looking at all apps across the portfolio for open signups (like VaultWarden which bit me a few weeks back) and disable them as part of our app onboarding?
-
@doodlemania2 registration is almost always disabled by default. But some apps like Kutt won't allow anyone to sign up, if registration is disabled.
-
@timconsidine this got me too. was looking for a shortener i could iframe into a client dashboard so through kutt up. I don't know how bad or if im still infected but a day or two after setting it up, all my links started to time out - they were being blocked by my browser. at the same time, I lost admin access on a totally different wp site :S i deleted kutt before i thought to investigate.
definitely reminded me as to the importance of security. i still cant get my orginal link shortener (installed on a lamp stack) to work - im worried i got the domains banned or something
-
@plains-digital may not be be as bad as you think
I appealed against some blocks and responded to incoming abuse notifications and got it cleaned up.
Kutt works well so don't be afraid to try it again - just turn off registrations. -
@timconsidine my clients domain is STILL pointing at two dodgy IPs
-
@plains-digital another thread here about Netcup had some comments about cleaning ip addresses.
