Topic on Project:Support desk

Wiki hacked for info

7 comments • 21:50, 20 October 2014 9 years ago
7
Dcshank (talkcontribs)

One private wiki used for one customer for collaboration was hacked using special:userlogin twice. Not sure how that works. The hacker went directly to a project category, downloaded a bunch of files. This was obviously someone very familiar with Mediawiki, no kiddie script.

I have not yet found in the log files where this happened yet, but the hacker deleted all the data base entries after 9/9/2013. I did not this this was easily done.

Any help or insight would be appreciated.

Rev 1.19.2 PHP 5.3.24 MySQL 5.0.96-log

Thanks, Don

Reply 16:03, 20 October 2014 9 years ago
88.130.98.176 (talkcontribs)

Please follow Manual:Security. Especially do not disclose details about the hack to the public (including myself).

Note that your MediaWIki version is outdated and has known security holes. Given that there are quite a number of known security related issues in the version you used, which might give an attacker possibilities to manipulate files on the server, I guess it's unlikely that a yet unknown zero-day exploit has been used. Anyway, you cannot be sure about that until you figured out how the attack actually worked.

Reply 16:38, 20 October 2014 9 years ago
Dcshank (talkcontribs)

Thanks very much for the advice 88.130.98.176. Special:userlogin has been discussed as a problem for a while.

I understand the version is outdated and every version is going to have security holes. Unfortunately any MediaWiki version is outdated the day after it is released. And, since the MediaWiki is not exactly Windows Notepad, I am not going to be doing a Tuesday Windows type update every week.

I have to take a stand at some point and work with what I have until there is a compelling reason to upgrade. I have taken care of the problem for now. I just never expected anyone to go to so much effort to get the trivial information that was taken. I'm anxious to take the time to figure out the hack, but more important thing press at this time

The horrible thing is wiping the DB. I am assuming the image and page files still exist on the server. Is there any utility existing that would rebuild a useful index?

Reply 17:55, 20 October 2014 9 years ago
88.130.98.176 (talkcontribs)

MediaWiki minor updates come out around once a month - or less frequently. For me personally it takes less than five minutes to install such an update. Your current situation proves that security is a compelling reason to update. Not updating, knowing of the dangers, is negligent, if not grossly negligent.

You wrote that the hacker removed "all db entries after 9/9/2013". Content from the tables page, revision and text is unique. Content from these tables (page, revisions, text) cannot be rebuilt. Maybe from Google cache, but you know - that is not, what you want to do. Having a backup would be fine...

You can put those images, which are now missing in the DB, into a folder. Then these images can be imported using the maintenance script importImages.php.

Reply Edited 21:44, 20 October 2014 9 years ago
Jackmcbarn (talkcontribs)

1.19 is still supported. I'm hoping that you meant 1.19.20 rather than 1.19.2; if not, then that would probably be how you got hacked. "Unfortunately any MediaWiki version is outdated the day after it is released." <-- That isn't true. Releases, especially LTS, are relatively rare. "I have to take a stand at some point and work with what I have until there is a compelling reason to upgrade." <-- Security vulnerabilities are a pretty compelling reason to upgrade. Also, why do you think Special:UserLogin was involved in the hack, and what does "went directly to a project category, downloaded a bunch of files" mean?

Reply 21:14, 20 October 2014 9 years ago
Florianschmidtwelzow (talkcontribs)

A MediaWiki version isn't outdated the next day. See Version_lifecycle to know, how our version lifecycle works. Normally you should use always the latest stable version of MediaWiki, but there are some LTS versions, which get security fixes, too. There should be no problem (and in your own interest) to upgrade/use some of the supported versions of MediaWiki.

Weekly snapshoots of MediaWiki (called wmf-branches) are thought for Wikimedia wikis use only (like Wikipedia and sister projects). You can, if you want, use these versions, too, to get the newest changes, which are mainly untested for environments outside the wikimedia use. So you have to be very familar with MediaWiki, to know what to do, if something went wrong.

Reply 21:19, 20 October 2014 9 years ago
Dcshank (talkcontribs)

Thanks for all your input. Don't take things I say too literally. Of course it not outdated the next day, but we all know the nature of software. I can't disagree with most of it, but like probably most everyone else here, there are never enough hours in the day to do everything that should be done. My primary job is not maintaining the server and websites, and I cannot afford to hire someone to do that full-time, which is what would be required to keep everything pristine.

I figured out most of what happened, still working the issue. I have tried some things, and will see how they look in the log file tomorrow. I have tried to upgrade but there is some kind of bug at GoDaddy that will not allow it, and I have not had time to work on it. And, several upgrades that required MySQL changes took a lot longer than 5 minutes.

Thanks for your help. I have learned a lot, my customer and I will be discussing things.

Reply Edited 21:50, 20 October 2014 9 years ago
Reply to "Wiki hacked for info"
Retrieved from "https://www.mediawiki.org/wiki/Topic:S4k162exc8qvfuqj#flow-post-s4k7d8m8l9w9qjqy"