Mailinglist Archive: opensuse (982 mails)

< Previous Next >
Re: [opensuse] MediaWiki exploit - check your site...
On 09/21/2014 09:48 AM, Basil Chupin wrote:
On 22/09/14 00:21, Carlos E. R. wrote:
On 2014-09-21 15:20, Basil Chupin wrote:
Yes, and you can see also mediawiki related docbook xml stylesheets. But
that is not "mediawiki" itself, just things to write for it. You may
even have a library (libmediawiki1).


MediaWiki is what runs the wikipedia, or the openSUSE wiki site, for
instance.


http://en.wikipedia.org/wiki/MediaWiki

«MediaWiki is a free and open-source wiki app, used to power wiki
websites such as Wikipedia, Wiktionary and Commons, developed by the
Wikimedia Foundation and others. It also runs thousands of other
websites.[1] It is written in the PHP programming language and uses a
backend database.»

OK, so one can now assume that what is currently installed in oS for LO is
immune and therefore safe from the exploit which David mentions?

BC


BC, (sorry, you get 2 copies -- I forgot to change the address :( )

LO is fine. This is the mediawiki web server software itself. This was just some NASTY piece of spambot code that appears to originated in Thailand - curiously it occurred immediately following the hack that compromised/leaked ~5 million google accounts on one of google's servers in Thailand. (google claims no compromise) see:

http://www.bankinfosecurity.com/5-million-google-passwords-leaked-a-7299/op-1

Whatever the source, this is an automated exploit that bypasses all captcha and send account conf e-mail/reply account e-mail protections built into the software and can literally create 10,000 new accounts/pages as fast as your hardware will allocate it.

Then a steady stream of http requests are sent from all over the world that generate outbound mail utilizing the new wiki accounts, but outgoing as www@xxxxxxxxxxxx in order to defeat your smtpd_sender_restrictions and smtpd_client_restrictions.

Even though system accounts are set to /bin/false in /etc/passwd, postfix still considers the accounts valid local accounts (that was news to me - still working on an /etc/postfix/sender_access to blacklist system accounts while still allowing needed system e-mails).

An example of the http requests seen were:

198.27.127.50 - - [14/Sep/2014:23:59:44 -0500] "POST /mediawiki/index.php?title=1-2&action=submit HTTP/1.1" 302 -
37.203.210.163 - - [14/Sep/2014:23:59:44 -0500] "POST /mediawiki/index.php?title=Special:UserLogin&action=submitlogin&type=signup&returnto=Info+On+Rapid+Plans+Of+%E0%B8%9A%E0%B8%A3%E0%B8%B4%E0%B8%81%E0%B8%B2%E0%B8%A3+Seo HTTP/1.1" 200 14697
23.105.145.204 - - [14/Sep/2014:23:59:44 -0500] "GET /mediawiki/index.php/Step-By-Step_Details_Of_Cats HTTP/1.1" 200 17904
198.27.127.50 - - [14/Sep/2014:23:59:44 -0500] "GET /mediawiki/index.php/1-2 HTTP/1.1" 200 13994
195.154.179.29 - - [14/Sep/2014:23:59:45 -0500] "POST /mediawiki/index.php?title=User:DawnaNealy&action=submit HTTP/1.1" 302 -
198.27.127.50 - - [14/Sep/2014:23:59:45 -0500] "GET /mediawiki/index.php/1-2 HTTP/1.1" 200 12489
195.154.179.29 - - [14/Sep/2014:23:59:45 -0500] "GET /mediawiki/index.php/User:DawnaNealy HTTP/1.1" 200 15215
195.154.179.29 - - [14/Sep/2014:23:59:47 -0500] "GET /mediawiki/index.php/User:DawnaNealy HTTP/1.1" 200 13769
198.27.127.50 - - [14/Sep/2014:23:59:47 -0500] "GET /mediawiki/index.php/User:IKDTomfezmri HTTP/1.1" 200 13199
198.27.127.50 - - [14/Sep/2014:23:59:47 -0500] "GET /mediawiki/index.php?title=Special:UserLogin&returnto=User%3AIKDTomfezmri HTTP/1.1" 200 12744
198.27.127.50 - - [14/Sep/2014:23:59:48 -0500] "POST /mediawiki/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=User:IKDTomfezmri HTTP/1.1" 302 -
198.27.127.50 - - [14/Sep/2014:23:59:48 -0500] "GET /mediawiki/index.php/User:IKDTomfezmri HTTP/1.1" 200 14744
198.27.127.50 - - [14/Sep/2014:23:59:49 -0500] "GET /mediawiki/index.php/User:IKDTomfezmri HTTP/1.1" 200 14744
198.27.127.50 - - [14/Sep/2014:23:59:50 -0500] "GET /mediawiki/index.php?title=User:IKDTomfezmri&action=edit HTTP/1.1" 200 19148

This was at the rate of up to ~10 per-second. There were over 35740 UNIQUE incoming IPs used with this attack (primarily from RIPE and APNIC blocks) Even after nearly 2 days of having closed the exploit, I am still receiving on average 1 per second:

209.236.112.190 - - [21/Sep/2014:14:10:47 -0500] "GET /mediawiki/index.php/How_to_Make_Quick_Money_Online HTTP/1.1" 500 1040
23.95.96.114 - - [21/Sep/2014:14:10:48 -0500] "GET /mediawiki/index.php/User:KingGarratt HTTP/1.1" 500 1040
5.39.105.45 - - [21/Sep/2014:14:10:50 -0500] "GET /mediawiki/index.php/High_Locations_To_Shop_For_Maternity_Wear HTTP/1.1" 500 1040
209.236.112.190 - - [21/Sep/2014:14:10:56 -0500] "GET /mediawiki/index.php/Making_Money_Online_Some_Key_Points_To_Note HTTP/1.1" 500 1040
117.26.194.42 - - [21/Sep/2014:14:10:56 -0500] "GET /mediawiki/index.php/User:HermeliDorron HTTP/1.1" 500 1040
195.154.179.29 - - [21/Sep/2014:14:11:02 -0500] "GET /mediawiki/index.php/User:EdwardoITLN HTTP/1.1" 500 1040
195.154.211.103 - - [21/Sep/2014:14:11:02 -0500] "GET /mediawiki/index.php/How_Essential_Is_Water_To_Your_Skin HTTP/1.1" 500 1040
5.255.88.57 - - [21/Sep/2014:14:11:04 -0500] "GET /mediawiki/index.php/Info_On_Rapid_Plans_Of_%E0%B8%9A%E0%B8%A3%E0%B8%B4%E0%B8%81%E0%B8%B2%E0%B8%A3_Seo HTTP/1.1" 500 1040
204.44.91.182 - - [21/Sep/2014:14:11:05 -0500] "GET /mediawiki/index.php/User:TashaJmzbotlg HTTP/1.1" 500 1040
5.255.88.57 - - [21/Sep/2014:14:11:10 -0500] "GET /mediawiki/index.php/User:ShariAngwin HTTP/1.1" 500 1040
209.236.112.190 - - [21/Sep/2014:14:11:22 -0500] "GET /mediawiki/index.php/User:APKSonjabqrg HTTP/1.1" 500 1040
5.39.105.45 - - [21/Sep/2014:14:11:23 -0500] "GET /mediawiki/index.php/User:JulianeMcclendo HTTP/1.1" 500 1040
5.135.43.143 - - [21/Sep/2014:14:11:27 -0500] "GET /mediawiki/index.php/User:RickeyJIXdzjd HTTP/1.1" 500 1040
195.154.179.29 - - [21/Sep/2014:14:11:29 -0500] "GET /mediawiki/index.php/User:ElanaPrince HTTP/1.1" 500 1040
89.137.140.101 - - [21/Sep/2014:14:11:30 -0500] "GET /mediawiki/index.php/Sex_Cams_-_Overview HTTP/1.1" 500 1040
155.94.220.104 - - [21/Sep/2014:14:11:32 -0500] "GET /mediawiki/index.php/Famous_People_Who_Have_Undergone_LASIK_And_Laser_Eye_Surgery_Treatments HTTP/1.1" 500 1040
5.39.105.45 - - [21/Sep/2014:14:11:32 -0500] "GET /mediawiki/index.php/Finances_Summer_season_Maternity_Style_Garments_And_Style_For_24_Week_Pregnant HTTP/1.1" 500 1040
5.39.105.45 - - [21/Sep/2014:14:11:34 -0500] "GET /mediawiki/index.php/New_Bellingham_Consignment_Store_Focuses_On_Maternity_And_Youngsters_s_Garments HTTP/1.1" 500 1040

I wonder how long this chatter will continue? They have been receiving a '500' response from my server since 9:30 Friday. In order to prevent the chatter, I would have to drop http requests from -- just about the entire internet :(

Does anyone have, or has anyone found, a way to send a nuclear reply to a specific http request? Kind of like an old honeypot? During close of business hours I was thinking about creating a 1G file of garbage and softlinking it to mediawiki/index.php -- but that has an obvious bandwidth downside... Any other slick retaliatory ideas?

Regardless, keep an eye on your mediawiki installs...

--
David C. Rankin, J.D.,P.E.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >