Project

General

Profile

Housekeeping #2366

[Wiki][redmine][mailing list]: Recent attack

Anonymous - 2 months ago - . Updated about 1 month ago.

Status:
open
Priority:
bug
Assignee:
-
% Done:

0%


Description

Wiki has recently been attacked by some vandal(s). Some pages were destroyed.

History

#1

Updated by bill-auger 2 months ago

thanks for noticing - this bug tracker just got hit too - were going to do something - maybe even shut down the web sites for the day, as a last resort

#2

Updated by bill-auger 2 months ago

  • Subject changed from [Wiki] Recent attack to [Wiki][redmine]: Recent attack

responses to the many questions asked on IRC yesterday that i missed:

the email moderation queues should be mostly empty - i am subscribed to them, and i review and prune them daily - in the [assist] queue now, are just a few that i suppose were from you or freemor testing

From:    root@parabola.nu
Subject: Testing my new address

From:    bill-augeratpeers.community
Subject: Some testing

From:    srs0=f1qc=vi=isacdaavid.info=isacdaavid@parabola.nu
Subject: Re: <RANDOM_GARBAGE>

From:    lurker@example.com
Subject: Nothing

i have not sent any mail to [assist] recently, but i did send two to [dev] yesterday, and i send multiple messages per day to mailman to admin the moderation queue - the '<br />' in the plain-text message body of that spoofed email is sufficient to indicate that i did not write it - there is one other that was apparently spoofed around the same time "From" a parabola.nu address - we should make sure that one was spoofed and not legit from the parabolaweb service

From: Parabola Website Notification <nobody@parabola.nu>
To: dev@lists.parabola.nu
Subject: [Dev] Website issues
Date: Fri, 12 Jul 2019 01:31:41 +0300
Sender: "Dev" <dev-bounces@lists.parabola.nu>

redmine and the wiki were the only services i blocked; because those are the only ones that accept logins or posts, other than the parabolaweb out-of-date flags - at the time, i did not remember that parabolaweb accepts posts - we may need to clean those

and yes, i had two shell connections to winston - the same two are both still open now - feel free to kick me at any time - i always spawn a screen session for anything important or long-running

#3

Updated by bill-auger 2 months ago

  • Private changed from No to Yes
#4

Updated by bill-auger 2 months ago

  • Private changed from Yes to No
#6

Updated by lukeshu 2 months ago

  • Subject changed from [Wiki][redmine]: Recent attack to [Wiki][redmine][mailing list]: Recent attack
#9

Updated by temporaryuser 2 months ago

9 days passed with no attacks. Close as fixed?

#10

Updated by bill-auger 2 months ago

its not totally "fixed" yet - registrations are still closed for the wiki and redmine still needs some clean-up

#11

Updated by Anonymous about 1 month ago

For God's sake, close self‐registrations permanently!

#12

Updated by temporaryuser about 1 month ago

So, registrations are now closed. What is the purpose of CAPTCHA if new accounts are checked manually anyway?

I think it's better to never open them again: every time you do this there is more spam than previous attack (I think, but this time there was too much spam).

Please, also replace registration page with "We would gladly create an account for you.
Just ask on the mailing list or IRC". Same for Wiki.

If this will be done, the issue is mostly fixed.

It's difficult to find open proxy which is unknown to freenode and abusing IPs could be banned.

Some spammers might try to register accounts using mailing lists. Note there is no CAPTCHA there. They also could 'invite a lot of friends' which are really lot of accounts to spam.
It's easy to register non‐suspicious anonymous email somewhere.

Maybe, require IP validation on IRC for mailing lists registration and ban that IP if suspicious activity is detected. This will completely fix this issue, although spammers could try to find open proxies unknown to freenode. It's unlikely someone has too much IPs even if their IP is dynamic/they use

VPN(s).

Also, I don't know is email origin checked to prevent emails with fake "From: " which, even with email text validation, could lead to unfair bans.

Also, when spammers will be unable to abuse computer systems, they may start abusing humans by sending lots of spam to their email addresses, including, but not limited to: garbage (easily blocked), nonsense text, social engineering, fake unsigned "key compromised but cannot be revoked" messages with fake keys, fake news, malware, etc. with spoofed 'From' header sometimes.

#13

Updated by temporaryuser about 1 month ago

parabola.nu returned 504 for some time.
Then, I saw this:
https://www.parabola.nu/packages/?sort=&repo=Pcr&q=&maintainer=&flagged=
First page is flagged. Many of them today.
It looks like it was hit by same attack just now.

If this is true, add [packages] in the subject.

Also available in: Atom PDF