Page 3 of 3

Re: I am Guybrush Threepwood, mighty developer?

Posted: Wed Mar 22, 2023 5:51 pm
by LRAM
Ok I have to wait until it happens again to measure the differences

Re: I am Guybrush Threepwood, mighty developer?

Posted: Wed Mar 22, 2023 9:49 pm
by tiloschroeder
Okay, now that I've tested your website, I've find out 3 things:

1. Script not found
Your website load a script from jsdelivr.net, that can not be found (error 404).

Code: Select all

<!-- Load Bludit Plugins: Site head -->
...
<script type="text/javascript" src="https://cdn.jsdelivr.net/npm/amplitudejs@{{v5.1.0}}/dist/amplitude.js"></script>
2. HSTS and http:// -> https://
Your website returns an HSTS header, which tells the browser to connect to your website only via https:// for the next at least 6 month. Good.
But there is no automatically redirection from http:// to https://. This means, your website is also reachable unsecure (http://).

To solve this issue, open the file .htaccess in the root directory and add the following lines:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If after this your website goes blank (white) or return an error 500, remove the lines from the file and ask your provider, how the redirect can be implemented.

3. Special security header

You can also add some special security header (recommend), i.e. against cross-site-scripting attaks by adding the following lines to the file .htaccess:

Code: Select all

<IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-UA-Compatible "IE=edge"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
</IfModule>
You can scan and test the website-headers on Observatory from Mozialla: https://observatory.mozilla.org/analyze ... and-me.com

Re: I am Guybrush Threepwood, mighty developer?

Posted: Thu Mar 23, 2023 11:42 am
by LRAM
Thank you very much for this analysis, I am very grateful.
I don't know what this missing script is, it seems to load a jquery
HTaccess modified as specified; thank you again,
hoping that this will solve the problem.
what is surprising is that I don't encounter it on my other sites

Re: I am Guybrush Threepwood, mighty developer?

Posted: Tue Mar 28, 2023 4:44 pm
by AzzakaPrime
Base steps for any installation:

Redirect Port 80 to 443
Always redirect to SSL to stop pages being served on Port 80. There is no need to serve pages on Port 80 anymore:

<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

No Indexing and No Following Symlinks
Remove directory indexing to stop people from scouring the server for sensitive information or pages that should not be visible externally. (this can be over-ridden in the .htaccess file.)

<Directory "/var/www/html">
Options -Indexes -FollowSymLinks
AllowOverride None
Require all granted
</Directory>

Extra Server Hardening
The below amendments will stop Cross-Site-Scripting, set the Cross-Framing to the 'Same Origin', turns on the Rewrite engine, and other pieces.

Note: X-Clacks-Overhead "GNU Terry Pratchett" is optional, and is used to keep Sir Terry's name alive. See here: Clacks Overhead - GNU Terry Pratchett

ServerTokens Prod
ServerSignature Off
FileETag None
TraceEnable off
Header append X-Frame-Options "SAMEORIGIN"
Header set X-Clacks-Overhead "GNU Terry Pratchett"
Header set X-XSS-Protection "1; mode=block"
ExtendedStatus Off
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
RewriteEngine On
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule .* - [R=405,L]

There are other steps.These include installing 'fail2ban', and an AV software. Also, disable, TLS1.0, and TLS1.1. These are no longer secure, TLS1.2 and TLS1.3 should be used ONLY.

Re: I am Guybrush Threepwood, mighty developer?

Posted: Tue Mar 28, 2023 7:58 pm
by LRAM
it just happen gain :evil:
but Now if have a backup of the altered version and the original
which file should I compare

Re: I am Guybrush Threepwood, mighty developer?

Posted: Sun Oct 29, 2023 2:33 pm
by randomuser
Hi,

I got the same problem... but things may be different this time !

It was a draft blog, no backlinks online, only 2 people know the URL of it.

Still happened.

As @Edi proposes here : viewtopic.php?t=1878, I don't have any other file on the server, I don't use third party script.

But I noticed the strings were already on the zip file directly downloaded from bludit ! And it's on Github since long : https://github.com/bludit/bludit/blob/v ... .class.php

So I guess when an update/change/manipulation fails, it erased the content of bl-content/databases/site.php and just put version and theme

In my case, it's a change of domain name / theme that erased most of the content of file, after that changed it was only that in the file :

Code: Select all

<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{"currentBuild":20230715,"theme":"darktheme"}

So the title/footer has no default value here, and is taken from bl-kernel/site.class.php !

So it's probably not a hack ! Just an Easter egg !