On 09/21/2014 09:48 AM, Basil Chupin wrote:
On 22/09/14 00:21, Carlos E. R. wrote:
On 2014-09-21 15:20, Basil Chupin wrote: Yes, and you can see also mediawiki related docbook xml stylesheets. But that is not "mediawiki" itself, just things to write for it. You may even have a library (libmediawiki1).
MediaWiki is what runs the wikipedia, or the openSUSE wiki site, for instance.
http://en.wikipedia.org/wiki/MediaWiki
«MediaWiki is a free and open-source wiki app, used to power wiki websites such as Wikipedia, Wiktionary and Commons, developed by the Wikimedia Foundation and others. It also runs thousands of other websites.[1] It is written in the PHP programming language and uses a backend database.»
OK, so one can now assume that what is currently installed in oS for LO is immune and therefore safe from the exploit which David mentions?
BC
BC, (sorry, you get 2 copies -- I forgot to change the address :( ) LO is fine. This is the mediawiki web server software itself. This was just some NASTY piece of spambot code that appears to originated in Thailand - curiously it occurred immediately following the hack that compromised/leaked ~5 million google accounts on one of google's servers in Thailand. (google claims no compromise) see: http://www.bankinfosecurity.com/5-million-google-passwords-leaked-a-7299/op-... Whatever the source, this is an automated exploit that bypasses all captcha and send account conf e-mail/reply account e-mail protections built into the software and can literally create 10,000 new accounts/pages as fast as your hardware will allocate it. Then a steady stream of http requests are sent from all over the world that generate outbound mail utilizing the new wiki accounts, but outgoing as www@yourhost.com in order to defeat your smtpd_sender_restrictions and smtpd_client_restrictions. Even though system accounts are set to /bin/false in /etc/passwd, postfix still considers the accounts valid local accounts (that was news to me - still working on an /etc/postfix/sender_access to blacklist system accounts while still allowing needed system e-mails). An example of the http requests seen were: 198.27.127.50 - - [14/Sep/2014:23:59:44 -0500] "POST /mediawiki/index.php?title=1-2&action=submit HTTP/1.1" 302 - 37.203.210.163 - - [14/Sep/2014:23:59:44 -0500] "POST /mediawiki/index.php?title=Special:UserLogin&action=submitlogin&type=signup&returnto=Info+On+Rapid+Plans+Of+%E0%B8%9A%E0%B8%A3%E0%B8%B4%E0%B8%81%E0%B8%B2%E0%B8%A3+Seo HTTP/1.1" 200 14697 23.105.145.204 - - [14/Sep/2014:23:59:44 -0500] "GET /mediawiki/index.php/Step-By-Step_Details_Of_Cats HTTP/1.1" 200 17904 198.27.127.50 - - [14/Sep/2014:23:59:44 -0500] "GET /mediawiki/index.php/1-2 HTTP/1.1" 200 13994 195.154.179.29 - - [14/Sep/2014:23:59:45 -0500] "POST /mediawiki/index.php?title=User:DawnaNealy&action=submit HTTP/1.1" 302 - 198.27.127.50 - - [14/Sep/2014:23:59:45 -0500] "GET /mediawiki/index.php/1-2 HTTP/1.1" 200 12489 195.154.179.29 - - [14/Sep/2014:23:59:45 -0500] "GET /mediawiki/index.php/User:DawnaNealy HTTP/1.1" 200 15215 195.154.179.29 - - [14/Sep/2014:23:59:47 -0500] "GET /mediawiki/index.php/User:DawnaNealy HTTP/1.1" 200 13769 198.27.127.50 - - [14/Sep/2014:23:59:47 -0500] "GET /mediawiki/index.php/User:IKDTomfezmri HTTP/1.1" 200 13199 198.27.127.50 - - [14/Sep/2014:23:59:47 -0500] "GET /mediawiki/index.php?title=Special:UserLogin&returnto=User%3AIKDTomfezmri HTTP/1.1" 200 12744 198.27.127.50 - - [14/Sep/2014:23:59:48 -0500] "POST /mediawiki/index.php?title=Special:UserLogin&action=submitlogin&type=login&returnto=User:IKDTomfezmri HTTP/1.1" 302 - 198.27.127.50 - - [14/Sep/2014:23:59:48 -0500] "GET /mediawiki/index.php/User:IKDTomfezmri HTTP/1.1" 200 14744 198.27.127.50 - - [14/Sep/2014:23:59:49 -0500] "GET /mediawiki/index.php/User:IKDTomfezmri HTTP/1.1" 200 14744 198.27.127.50 - - [14/Sep/2014:23:59:50 -0500] "GET /mediawiki/index.php?title=User:IKDTomfezmri&action=edit HTTP/1.1" 200 19148 This was at the rate of up to ~10 per-second. There were over 35740 UNIQUE incoming IPs used with this attack (primarily from RIPE and APNIC blocks) Even after nearly 2 days of having closed the exploit, I am still receiving on average 1 per second: 209.236.112.190 - - [21/Sep/2014:14:10:47 -0500] "GET /mediawiki/index.php/How_to_Make_Quick_Money_Online HTTP/1.1" 500 1040 23.95.96.114 - - [21/Sep/2014:14:10:48 -0500] "GET /mediawiki/index.php/User:KingGarratt HTTP/1.1" 500 1040 5.39.105.45 - - [21/Sep/2014:14:10:50 -0500] "GET /mediawiki/index.php/High_Locations_To_Shop_For_Maternity_Wear HTTP/1.1" 500 1040 209.236.112.190 - - [21/Sep/2014:14:10:56 -0500] "GET /mediawiki/index.php/Making_Money_Online_Some_Key_Points_To_Note HTTP/1.1" 500 1040 117.26.194.42 - - [21/Sep/2014:14:10:56 -0500] "GET /mediawiki/index.php/User:HermeliDorron HTTP/1.1" 500 1040 195.154.179.29 - - [21/Sep/2014:14:11:02 -0500] "GET /mediawiki/index.php/User:EdwardoITLN HTTP/1.1" 500 1040 195.154.211.103 - - [21/Sep/2014:14:11:02 -0500] "GET /mediawiki/index.php/How_Essential_Is_Water_To_Your_Skin HTTP/1.1" 500 1040 5.255.88.57 - - [21/Sep/2014:14:11:04 -0500] "GET /mediawiki/index.php/Info_On_Rapid_Plans_Of_%E0%B8%9A%E0%B8%A3%E0%B8%B4%E0%B8%81%E0%B8%B2%E0%B8%A3_Seo HTTP/1.1" 500 1040 204.44.91.182 - - [21/Sep/2014:14:11:05 -0500] "GET /mediawiki/index.php/User:TashaJmzbotlg HTTP/1.1" 500 1040 5.255.88.57 - - [21/Sep/2014:14:11:10 -0500] "GET /mediawiki/index.php/User:ShariAngwin HTTP/1.1" 500 1040 209.236.112.190 - - [21/Sep/2014:14:11:22 -0500] "GET /mediawiki/index.php/User:APKSonjabqrg HTTP/1.1" 500 1040 5.39.105.45 - - [21/Sep/2014:14:11:23 -0500] "GET /mediawiki/index.php/User:JulianeMcclendo HTTP/1.1" 500 1040 5.135.43.143 - - [21/Sep/2014:14:11:27 -0500] "GET /mediawiki/index.php/User:RickeyJIXdzjd HTTP/1.1" 500 1040 195.154.179.29 - - [21/Sep/2014:14:11:29 -0500] "GET /mediawiki/index.php/User:ElanaPrince HTTP/1.1" 500 1040 89.137.140.101 - - [21/Sep/2014:14:11:30 -0500] "GET /mediawiki/index.php/Sex_Cams_-_Overview HTTP/1.1" 500 1040 155.94.220.104 - - [21/Sep/2014:14:11:32 -0500] "GET /mediawiki/index.php/Famous_People_Who_Have_Undergone_LASIK_And_Laser_Eye_Surgery_Treatments HTTP/1.1" 500 1040 5.39.105.45 - - [21/Sep/2014:14:11:32 -0500] "GET /mediawiki/index.php/Finances_Summer_season_Maternity_Style_Garments_And_Style_For_24_Week_Pregnant HTTP/1.1" 500 1040 5.39.105.45 - - [21/Sep/2014:14:11:34 -0500] "GET /mediawiki/index.php/New_Bellingham_Consignment_Store_Focuses_On_Maternity_And_Youngsters_s_Garments HTTP/1.1" 500 1040 I wonder how long this chatter will continue? They have been receiving a '500' response from my server since 9:30 Friday. In order to prevent the chatter, I would have to drop http requests from -- just about the entire internet :( Does anyone have, or has anyone found, a way to send a nuclear reply to a specific http request? Kind of like an old honeypot? During close of business hours I was thinking about creating a 1G file of garbage and softlinking it to mediawiki/index.php -- but that has an obvious bandwidth downside... Any other slick retaliatory ideas? Regardless, keep an eye on your mediawiki installs... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org