Transition Technology: Ticket Query

dedi2835.your-server.de
ssh
ls -lah /var/backups/mysql/sqldump/transitionnetw_0.sql
-rw------- 1 root root 1.8G Mar  2 01:23 /var/backups/mysql/sqldump/transitionnetw_0.sql

Hi Chris,
The web team at the development agency are requesting access to the
webserver so that they can look at the sites make up.
(Please see below)
Would you please set up an account so that they can get root read access?
I guess this would be done via FTP, but your thoughts greatly appreciated.
best regards
Ade
---------- Forwarded message ----------
From: Ainslie Beattie <ainsliebeattie@transitionnetwork.org>
Date: 26 January 2016 at 17:25
Subject: Fwd: Access to Drupal
To: Sam Rossiter <samrossiter@transitionnetwork.org>, Ade Stuart <
adestuart@transitionnetwork.org>, Yvonne Struthers <yvonne@thisisyoke.com>
Hey both, can you please action this urgently so that Yoke can have access.
Cheers
---------- Forwarded message ----------
From: "Yvonne Struthers" <yvonne@thisisyoke.com>
Date: 26 Jan 2016 10:58
Subject: Access to Drupal
To: <ainsliebeattie@transitionnetwork.org>
Cc:
Hi Ainslie,
Just a quick email as I'm out seeing a client today,but just to say,it
looks like you have only given us access to the database. What we need
please is admin access to the Drupal site and to the code base so that we
can get a sense of how it's all set up.
Thanks in advance!
Yvonne
Sent from my iPhone
--
Ade Stuart
Web Manager - Transition network
07595 331877
The Transition Network is a registered charity
address: 43 Fore St, Totnes, Devon, TQ9 5HN, UK
website: www.transitionnetwork.org
TN company no: 6135675 TN charity no: 1128675

/xmlrpc.php
/xmlrpc.php
sudo -i
wp-xmlrpc-abuse
IP addresses accessing xmlrpc.php more than twice for the last 1000 lines of each access.log:
      2 46.148.XX.XX
    733 195.62.53.243
    177 195.62.53.243
      2 66.76.XX.XX
dig -x 195.62.53.243 +short
  53-243.static.spheral.ru.
ipdrop 195.62.53.243

I would like to announce the release of MediaWiki 1.26.1, 1.25.4, 1.24.5,
and
1.23.12.
These releases fix five security issues in core, in addition to other bug
fixes. Download links are given at the end of this email
== Security fixes ==
(T117899) SECURITY: $wgArticlePath can no longer be set to relative paths
that
do not begin with a slash. This enabled trivial XSS attacks. Configuration
values such as "http://my.wiki.com/wiki/$1" are fine, as are "/wiki/$1". A
value such as "$1" or "wiki/$1" is not and will now throw an error
(T119309) SECURITY: Use hash_compare() for edit token comparison
(T118032) SECURITY: Don't allow cURL to interpret POST parameters starting
with
'@' as file uploads
(T115522) SECURITY: Passwords generated by User::randomPassword() can no
longer
be shorter than $wgMinimalPasswordLength
(T97897) SECURITY: Improve IP parsing and trimming. Previous behavior could
result in improper blocks being issued
(T109724) SECURITY: Special:MyPage, Special:MyTalk, Special:MyContributions
and
related pages no longer use HTTP redirects and are now redirected by
MediaWiki
== Note about EOL of 1.24.x ==
Please note that 1.24.5 marks the end of support for the 1.24.x series of
releases. Technically this ended a few weeks ago with the release of 1.26.0
but
we dropped one final release of 1.24.x here to give it a nicer send off for
those who have not yet upgraded.
== Release notes ==
Full release notes for 1.26.1:
<https://www.mediawiki.org/wiki/Release_notes/1.26>
Full release notes for 1.25.4:
<https://www.mediawiki.org/wiki/Release_notes/1.25>
Full release notes for 1.24.5:
<https://www.mediawiki.org/wiki/Release_notes/1.24>
Full release notes for 1.23.12:
<https://www.mediawiki.org/wiki/Release_notes/1.23>
For information about how to upgrade, see
<https://www.mediawiki.org/wiki/Manual:Upgrading>

Hi Chris, All
Can you help me to reset my password for paulbooker for
news.transitionnetwork.org? I just tried to use the reset password form but
I never received an email and when I Iooked at the settings,php file for
the website (generated by Aegir) I couldn't see immediately where to find
the database.
I think I may have missed some recent updates to news.transitionnetwork.org
so urgently need to resolve this today.
Not sure how this has fallen of my radar, but, I just noticed that
news.transitionnetwork.org is no longer mentioned on the platform page on
Aegir so may have got into thinking that this site no longer exists.
http://news.transitionnetwork.org
https://tn.puffin.webarch.net/hosting/platforms
--
Paul Booker
Drupal Support for Websites and Linux Servers
Website: http://www.paulbooker.co.uk
Tel: +44 01922 861636

Tomorrow we will be issuing a security release to all supported
branches of MediaWiki.
The new releases will be:
1.25.3
1.24.4
1.23.11
Fixes will be available in these respective release branches, the
unreleased 1.26.x branch, and master. Tarballs will be available
for the above mentioned point releases as well.
This security release will encompass core only, no bundled extensions
are affected.

Hi Sam,
Hope you're well.
Any chance you could pay my 3 outstanding invoices today?
Best, Paul
--
Paul Booker
Drupal Support for Websites and Linux Servers
Website: http://www.paulbooker.co.uk
Tel: +44 01922 861636

grep POST /home/ttt/logs/access.log | grep wp-login.php | grep 217.174.240.254 | wc -l
53932

xmlrpc.php
Hi Sam / Ade
Would you advise when outstanding invoices will be paid? We used to get our
invoices paid every month.
--
Best
Paul Booker
Drupal Developer & Linux Systems Administrator
Website: http://www.paulbooker.co.uk
Drupal.org: https://www.drupal.org/u/paulbooker
Twitter: @paulbooker <https://www.twitter.com/paulbooker>
Tel: +44 01922 861636

 all kind of watches    - htt&#112;://&#103;oo.&#103;l/3&#75;&#85;ebe
htt&#112;://&#103;oo.&#103;l/j&#99;kF3&#87; &#104;t&#116;p:/&#47;&#103;oo&#46;gl/&#117;&#116;&#71;eX0 qxs dzge l urqgp
kqv v jzqky wtmu tnoag y
ptp ldv ody oif ap cbbds
nuhk updsz bhpz zktlx nz jzcu
h rv qwvz bz h nbm
tiu g ljll lyomu yyf nboz
vi xz voxls ioiu cen tfq
pjs lrvbs veb sh ynnoq yh
l jd mppk yyc ughd upxg
uwyx ru gb wbmt w q
qcn aerpv m tpxg u nga
rc kjci t zgdqq f apb
vgrse gxyu gmiij rrfh gxvpm hv
a vn iwt dzisl eczkx rl
p nq nocyu motht sjan yyjnk
oajv ibz atjno w zp vrg
g bo wdy b blwg slzze
hqmol uo ajgit snd qc ytyi
b yr tivb dyw ax kg
fpl nufto sxqoe nag cnk ucur
mqpq swpvf pib mx fxb mf
shg ac lkt jiir xm wkskg
de v bde z p rrx
yykms tln zqq nzdmd g fhnc
mgc wfr mntuv arc j tjzdk
t b wx jao xmf adwji
z k hg urgsz qqz enuxt
wk j cgvr kvl gn zkqo
czhs hrll lot j kkpu fam
ehm fnr ajvea cut axv anjt
i zrbab lximl x tmwi v
gngrg w q s hg yaue
btrs kf zki zoe nd yyafq
s oaipz st toevj yd a
pzw l gmu hvgc vqxx jh
a gi wyyyg yhch chlcc tznsw
cohr zxvid jsw wunh hq nmcr
oowj wpdn yq br we y
kyqwe gd t uzp svvy do
slyt mof qngf b o crd
t gd dd ioa hxai m
f fhqsm ayrs xxk ehl ho
vxupt iyhu p frkt moarl e
j zxq odnq y t lv
jc lkk wcnzg k pldvj mf
crvx xb ifsmk yylz fj dg
k ywt iapns zw hyvsv jdc
tmp mfin jaw c is s
v w h hoc qguhh cv
vlz zntcm fohau evv b p
ujsbw aobr omp o dptn b
qorl iyfjh ttd uln k lakhk
mihmo tmru ofde imic q bqbj
vyl yz f ea e f

Hello,
Our system detected that the site space.transitionnetwork.org has been hacked!
Common signatures of an attack which triggered this alert:
You are required to change your password immediately (password aged)
su: Authentication token is no longer valid; new one required
(Ignored)
Site tested positive for known Drupalgeddon exploit checks               [error]
Update module is disabled and Drupalgeddon cannot check for Drupal       [error]
Security Updates. Please check for a security update manually.
You are running Drupal 7.31
https://www.drupal.org/node/3060/release?api_version%5B%5D=103
The platform root directory for this site is:
  /data/disk/tn/distro/008/openatrium-7.x-2.19-7.31.1
The system hostname is:
  puffin.webarch.net
To learn more on what happened, how it was possible and
how to survive #Drupageddon, please read:
  https://omega8.cc/drupageddon-psa-2014-003-342
--
This e-mail has been sent by your Aegir system monitor.

Time:     Tue Sep 23 13:47:01 2014 +0100
IP:       XX.XX.XX.XX (HU/Hungary/XXXXXX.catv.pool.telekom.hu)
Failures: 5 (sshd)
Interval: 300 seconds
Blocked:  Permanent Block
Log entries:
Sep 23 13:46:28 puffin sshd[6056]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=tn.ftp
Sep 23 13:46:30 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:33 puffin sshd[6056]: Failed password for tn.ftp from XX.XX.XX.XX port 54327 ssh2
Sep 23 13:46:56 puffin sshd[6409]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=XX.XX.XX.XX  user=anewholm
Sep 23 13:46:58 puffin sshd[6409]: Failed password for anewholm from XX.XX.XX.XX port 54328 ssh2

From: root@penguin.webarch.net (Cron Daemon)
Date: Fri,  1 Aug 2014 14:06:48 +0100 (BST)
To: root@localhost
Subject: Cron <www-data@penguin> /web/stats.transitionnetwork.org/piwik/console core:archive --url=http://stats.transitionnetwork.org/ > /var/log/piwik-archive.log
ERROR CoreConsole[2014-08-01 13:05:18] [3e5ac] Got invalid response from API request:
+http://stats.transitionnetwork.org/index.php?module=API&method=API.get&idSite=1&period=week&date=last2&format=php&token_auth=XXXXXXXXXXXX&trigger=archivephp. Response was ' <div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%;
+background-color:#FFFF96;'>         <strong>There is an error. Please report the message (Piwik 2.4.1)         and full backtrace in the <a
+href='?module=Proxy&action=redirect&url=http://forum.piwik.org' target='_blank'>Piwik forums</a> (please do a Search first as it might have
+been reported already!).<br /><br/>         Warning:</strong>
+<em>file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&php_version=5.4.4-14%2Bdeb7u12&url=https%3A%2F%2Fstats.
+transitionnetwork.org%2Fweb%2Fstats.transitionnetwork.org%2Fpiwik%2Fconsole&trigger=API&timezone=Europe%2FLondon): failed to open stream:
+HTTP requ
 est fail
 ed! </em> in <strong>/web/stats.transitionnetwork.org/piwik/core/Http.php</strong> on line <strong>406</strong> <br /><br />Backtrace
+--&gt;<div style="font-family:Courier;font-size:10pt"><br /> #0  Piwik\Error::errorHandler(...) called at [:]<br /> #1
+file_get_contents(...) called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:406]<br /> #2  Piwik\Http::sendHttpRequestBy(...)
+called at [/web/stats.transitionnetwork.org/piwik/core/Http.php:94]<br /> #3  Piwik\Http::sendHttpRequest(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/UpdateCheck.php:72]<br /> #4  Piwik\UpdateCheck::check(...) called at
+[/web/stats.transitionnetwork.org/piwik/plugins/CoreUpdater/CoreUpdater.php:142]<br /> #5
+Piwik\Plugins\CoreUpdater\CoreUpdater->updateCheck(...) called at [:]<br /> #6  call_user_func_array(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/EventDispatcher.php:98]<br /> #7  Piwik\EventDispatcher->postEvent(...) called at
+[/web/stats.transitionnetwor
 k.org/pi
 wik/core/Piwik.php:766]<br /> #8  Piwik\Piwik::postEvent(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/FrontController.php:391]<br /> #9  Piwik\FrontController->init(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/dispatch.php:33]<br /> #10  require_once(...) called at
+[/web/stats.transitionnetwork.org/piwik/index.php:47]<br /> #11  require_once(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/CliMulti/RequestCommand.php:53]<br /> #12  Piwik\CliMulti\RequestCommand->execute(...) called
+at [/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Command/Command.php:252]<br /> #13
+Symfony\Component\Console\Command\Command->run(...) called at
+[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:887]<br /> #14
+Symfony\Component\Console\Application->doRunCommand(...) called at
+[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Co
 nsole/Ap
 plication.php:193]<br /> #15  Symfony\Component\Console\Application->doRun(...) called at
+[/web/stats.transitionnetwork.org/piwik/core/Console.php:64]<br /> #16  Piwik\Console->doRun(...) called at
+[/web/stats.transitionnetwork.org/piwik/vendor/symfony/console/Symfony/Component/Console/Application.php:124]<br /> #17
+Symfony\Component\Console\Application->run(...) called at [/web/stats.transitionnetwork.org/piwik/console:31]<br /> </div><br />
+</pre></div><br />  <div style='word-wrap: break-word; border: 3px solid red; padding:4px; width:70%; background-color:#FFFF96;'>
+<strong>There is an error. Please report the message (Piwik 2.4.1)         and full backtrace in the <a
+href='?module=Proxy&action=redirect&url=http://forum.piwik.org' target='_blank'>Piwik forums</a> (please do a Search first as it might have
+been reported already!).<br /><br/>         Warning:</strong>
+<em>file_get_contents(http://api.piwik.org/1.0/getLatestVersion/?piwik_version=2.4.1&php_version
 =5.4.4-1

/root/Changelog

Transition Technology: Ticket Query

#925: Piwik 2.16.3

Security release

Database upgrade

#924: Sheffield Server Shutdown Timetable?

#922: SSH to parrot please

#919: Site offline

#918: redirects?

#917: Any misc files in Transition Culture web root?

#916: SSH to parrot please

#912: Stats for TTT

#909: What's involved in enabling longer Piwik reports?

#907: TN Drupal database size

#905: TN site down due to redis not running

#904: Issues to consider in the migration from Drupal to WordPress

#903: Large load spike on PuffinServer

#901: Enable SSH access to PuffinServer for Ade

#899: Managing security after Feb 24th, 2016.

#898: Fwd: Access to Drupal

#897: Hosting information/requirements for 2016

#894: Brute Force Attacks Against WordPress XMLRPC

#893: BOA Cron Jobs

#892: MediWiki Security Release: 1.26.1, 1.25.4, 1.24.5 and 1.23.12

#890: Site offline.

#887: Lot's of failed logins on conference15.transitionnetwork.org

#884: RE: http://news.transitionnetwork.org

#882: Login to PiWik stats

#881: Site on ParrotServer with a memory leak?

#879: MediaWiki 1.23.11

#877: RE: outstanding invoices

#875: Free HTTPS certificates from Let's Encrypt

#874: Please check & then install Georss if no problems

#873: New Wordpress site please

#871: Brute Force Attacks Against WordPress Sites

#870: MediaWiki 1.23.10

Bug Fixes in 1.23.10

#868: Is conference15.tn.org backed up in a convenient manner?

#865: synchronisation

#860: More details on Server provision

#859: Subscription emails broken

#857: Tiny MCE weirdness

#856: Blocked IP?

#855: Piwik plugins

#853: Parrot access please

#851: Bot attacks on Transition Culture

#849: (No subject)

#847: Upgrade Servers to Debian Jessie

#836: "Date is invalid" on film content type

#834: Slovenian State info missing again

#824: Analysis of the 2014 maintenance ticket time

#821: Projects forms being hammered by Spam

#819: Trac anti-spam measures

#818: For watch lovers. superwatches

#814: Higher that usual loads on PuffinServer since early September

#812: space.transitionnetwork.org hacked?

#809: [Security-news] Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-CORE-2014-006

#808: WordPress email being rejected due to From field

#806: IIRS pre-beta usability issues

#804: Investigating the site security following SA-CORE-2014-005 (Drupal 7.32)

#802: Slovenian state information missing / 'Not listed' will not submit

#794: Time estimate: change TN.org background image

#792: [Security-news] SA-CONTRIB-2014-094 - Webform Patched - Cross Site Scripting (XSS)

#790: Annesley locked out of puffin

#789: SA-CONTRIB-2014-088 - Mollom - Cross-site scripting (XSS)

#787: Access to Parrot

#783: IIRS design and development

#772: new TIs not appearing on staging until caches flushed

#768: Piwik Archive Cron Error

#767: robots.txt on dev site

#764: Policy decisions re-assessment on BOA and Drupal security updates

#763: Server Backups

#761: Spam account cull

#759: [Security-news] SA-CONTRIB-2014-071 - FileField - Access bypass

#758: * Advisory ID: DRUPAL-SA-CORE-2014-003

#757: Research and Design for TNv3

#750: Annual update of SSL cert fingerprint for incomming emails to Trac

#747: Accessibility / archiving of podcasts

#746: New comment notifications not being sent to content owners.

#742: Stg site to play with

#741: Views editor disappears in backend