Author Topic: Help! FSWiki under spambot attack  (Read 13400 times)

0 Members and 2 Guests are viewing this topic.

Offline TopAce

  • Stalwart contributor
  • 212
  • FREDder, FSWiki editor, and tester
Help! FSWiki under spambot attack
http://wiki.hard-light.net/index.php/Special:RecentChanges

It's happening right now. Even as I'm trying to get rid of the accounts/articles they created, new ones are generated. Any other admin online that could help?
« Last Edit: November 26, 2017, 05:11:39 am by TopAce »
My community contributions - Get my campaigns from here.

I already announced my retirement twice, yet here I am. If I bring up that topic again, don't believe a word.

 

Offline AdmiralRalwood

  • 211
  • The Cthulhu programmer himself!
    • Skype
    • Steam
    • Twitter
Re: Help! FSWiki under spambot attack
Were registrations opened back up in the server move? Should probably fix that.
Ph'nglui mglw'nafh Codethulhu GitHub wgah'nagl fhtagn.

schrödinbug (noun) - a bug that manifests itself in running software after a programmer notices that the code should never have worked in the first place.

When you gaze long into BMPMAN, BMPMAN also gazes into you.

"I am one of the best FREDders on Earth" -General Battuta

<Aesaar> literary criticism is vladimir putin

<MageKing17> "There's probably a reason the code is the way it is" is a very dangerous line of thought. :P
<MageKing17> Because the "reason" often turns out to be "nobody noticed it was wrong".
(the very next day)
<MageKing17> this ****ing code did it to me again
<MageKing17> "That doesn't really make sense to me, but I'll assume it was being done for a reason."
<MageKing17> **** ME
<MageKing17> THE REASON IS PEOPLE ARE STUPID
<MageKing17> ESPECIALLY ME

<MageKing17> God damn, I do not understand how this is breaking.
<MageKing17> Everything points to "this should work fine", and yet it's clearly not working.
<MjnMixael> 2 hours later... "God damn, how did this ever work at all?!"
(...)
<MageKing17> so
<MageKing17> more than two hours
<MageKing17> but once again we have reached the inevitable conclusion
<MageKing17> How did this code ever work in the first place!?

<@The_E> Welcome to OpenGL, where standards compliance is optional, and error reporting inconsistent

<MageKing17> It was all working perfectly until I actually tried it on an actual mission.

<IronWorks> I am useful for FSO stuff again. This is a red-letter day!
* z64555 erases "Thursday" and rewrites it in red ink

<MageKing17> TIL the entire homing code is held up by shoestrings and duct tape, basically.

 

Offline TopAce

  • Stalwart contributor
  • 212
  • FREDder, FSWiki editor, and tester
Re: Help! FSWiki under spambot attack
Not on purpose. I assume we've been hacked.

I checked the last 3500(!) recent changes and found out that all those edits were spambot account creations, spam article creations, or me doing cleanup. And they just keep coming. This is above my head.

[EDIT]Normal wiki browsing has been compromised too. There's a long "debug" log that starts roughly from the center of the page, and there are images and some templates missing. The Apollo article for example is a complete mess.
« Last Edit: November 26, 2017, 05:39:07 am by TopAce »
My community contributions - Get my campaigns from here.

I already announced my retirement twice, yet here I am. If I bring up that topic again, don't believe a word.

 

Offline Spoon

  • 212
  • ヾ(´︶`♡)ノ
Re: Help! FSWiki under spambot attack
Yeah, things are getting kind of bad on the wiki. long nonsense spoiled strings of debug data and what not.
Urutorahappī!!

[02:42] <@Axem> spoon somethings wrong
[02:42] <@Axem> critically wrong
[02:42] <@Axem> im happy with these missions now
[02:44] <@Axem> well
[02:44] <@Axem> with 2 of them

 

Offline ngld

  • Administrator
  • 29
  • Knossos dev
Re: Help! FSWiki under spambot attack
Those errors look a lot like the stuff we saw after the server move and the user creation page is publicly accessible. Did someone revert one of the fixes that were applied after the move? I thought it worked fine after Goober reinstalled the wiki.

 

Offline mjn.mixael

  • Cutscene Master
  • 212
  • Chopped liver
    • Steam
    • Twitter
Re: Help! FSWiki under spambot attack
I hope we have a backup... Kill it with fire. Start again.
Cutscene Upgrade Project - Mainhall Remakes - Between the Ashes
Youtube Channel - P3D Model Box
Between the Ashes is looking for committed testers, PM me for details.
Freespace Upgrade Project See what's happening.

 

Offline TopAce

  • Stalwart contributor
  • 212
  • FREDder, FSWiki editor, and tester
Re: Help! FSWiki under spambot attack
Well, they stopped at least. Guess that's good.
My community contributions - Get my campaigns from here.

I already announced my retirement twice, yet here I am. If I bring up that topic again, don't believe a word.

 

Offline jr2

  • The Mail Man
  • 212
  • It's prounounced jayartoo 0x6A7232
    • Steam
Re: Help! FSWiki under spambot attack
Yeah, that debug stuff has been there a few days.  I just assumed it was you guys doing something server-move related (wiki is outputting debug stuff to spoilered text lines on every wiki page).

 

Offline Goober5000

  • HLP Loremaster
  • 214
    • Goober5000 Productions
Re: Help! FSWiki under spambot attack
My guess is that this is somehow related to the HTTPS move.  I fixed the wiki before I fixed the forum, and it has been working just fine for the last few weeks.

The configuration settings that prevented account creation had been removed.  I added them back.

The debug data should not be displayed; it wasn't enabled in LocalSettings.php and I tried specifically disabling it with no luck.  It looks like disabling account creation is working properly, so it's not a case of LocalSettings.php not being loaded somehow.  It must be caused by something else, but I couldn't say what.

I'm on travel this weekend and for the next few days so my ability to do much more will be limited.  Hopefully Zacam and/or rev_posix can look into this in the meantime.  We do have backups, so rolling it back sounds like the best option to me.


Yeah, that debug stuff has been there a few days.  I just assumed it was you guys doing something server-move related (wiki is outputting debug stuff to spoilered text lines on every wiki page).

FFS, there is a big blue newspost for a reason.  "If you see anything that isn't working, please let us know."

 

Offline jr2

  • The Mail Man
  • 212
  • It's prounounced jayartoo 0x6A7232
    • Steam
Re: Help! FSWiki under spambot attack
My guess is that this is somehow related to the HTTPS move.  I fixed the wiki before I fixed the forum, and it has been working just fine for the last few weeks.

The configuration settings that prevented account creation had been removed.  I added them back.

The debug data should not be displayed; it wasn't enabled in LocalSettings.php and I tried specifically disabling it with no luck.  It looks like disabling account creation is working properly, so it's not a case of LocalSettings.php not being loaded somehow.  It must be caused by something else, but I couldn't say what.

I'm on travel this weekend and for the next few days so my ability to do much more will be limited.  Hopefully Zacam and/or rev_posix can look into this in the meantime.  We do have backups, so rolling it back sounds like the best option to me.


Yeah, that debug stuff has been there a few days.  I just assumed it was you guys doing something server-move related (wiki is outputting debug stuff to spoilered text lines on every wiki page).

FFS, there is a big blue newspost for a reason.  "If you see anything that isn't working, please let us know."

To my mind, that's still within the realm of "working properly", as I can put up with it and it remains functional.  I was a bit concerned at first, but I figured someone who knows about web dev would have noticed it if it wasn't intentional (bad assumption, I know; in hindsight, those were probably busy doing other things besides editing the wiki.  My very bad, I shall now go sit in the corner by the air ducts with my lunch bag. :( )

 

Offline Goober5000

  • HLP Loremaster
  • 214
    • Goober5000 Productions
Re: Help! FSWiki under spambot attack
No response from rev_posix in the last week. ¯\_(ツ)_/¯  And the spammers are still coming.

I'm mostly back online but it will be several days before the wiki is fully fixed.  Whatever happened really screwed things up.

 

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: Help! FSWiki under spambot attack
Ug, sorry peeps, been sick this past week, work as always (funny how the xmas 'freeze' time often seems to be the busiest times of the year)...

I'm not sure what happened with the wiki, it is possible that the fixed version was accidentally reverted when experimentation was being done to get it to run over SSL.

Any future work will have confirmed backups in place, which reminds me, I need to adjust the rsync stuff to reflect the new directory structure.
--
POSIX is fine, as is Rev or RP

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."

 

Offline Vidmaster

  • 211
  • Inventor of FS2 bullettime ;-)
Re: Help! FSWiki under spambot attack
As of today, the debug stuff has been combined with missing images now. Well, the GTVA thought they had proven their technological superiory as well and then the Juggernauts started jumping in ;-)
Devoted member of the Official Karajorma Fan Club (Founded and Led by Mobius).

Does crazy Software Engineering for a living, until he finally musters the courage to start building games for real. Might never happen.

 

Offline Goober5000

  • HLP Loremaster
  • 214
    • Goober5000 Productions
Re: Help! FSWiki under spambot attack
I specifically disabled debug messages and I also specifically disabled account creation.  It's like LocalSettings.php isn't even being loaded.

I hope to have more time to look at this in the next few days.

 

Offline rev_posix

  • Administrator
  • 213
  • I have the password to your shell account...
    • Trials and Tribulations
Re: Help! FSWiki under spambot attack
I specifically disabled debug messages and I also specifically disabled account creation.  It's like LocalSettings.php isn't even being loaded.

I hope to have more time to look at this in the next few days.
I checked this, and it's reading the LocalSettings file.  If new accounts are still being made, I can only think that somehow, the bots might have set up a bogus account and got rights on it to make new ones?  I don't have an account on it myself to look at the UI and see, but I can get into the backend and edit the settings file...

So, I've added some lines and adjusted the section that was added:

Code: [Select]
# Only users with accounts four days old or older can create pages
# Requires MW 1.6 or higher.
$wgGroupPermissions['*'            ]['createpage'] = false;
$wgGroupPermissions['user'         ]['createpage'] = false;
$wgGroupPermissions['autoconfirmed']['createpage'] = true;

# Prevent new user registrations except by sysops
$wgGroupPermissions['*']['createaccount'] = false;

#This will stop sysops from creating accounts as well
$wgGroupPermissions['sysop']['createaccount'] = false;

Starts on line 143 of the file.  It's a kind of emergency setting, but should prevent any new accounts being made until it can be better cleaned up.

As for the debug stuff, it looks like it was turned up in the php.ini as well.  I changed those settings and reloaded apache and the php module.  But I see there is something still printing it up.  I'll poke around and see if I can find it

EDIT:  Found it in the index.php.  Changed.  Post the URL if it still shows up anywhere.
« Last Edit: December 08, 2017, 05:49:10 am by rev_posix »
--
POSIX is fine, as is Rev or RP

"Although generally it is considered a no no to disagree with a mod since it's pretty much equivalent to kicking an unpaid janitor in the nuts while he's busy cleaning up somebody elses vomit and then telling them how bad they are at cleaning it up cause you can smell it down the hall." - Dennis, Home Improvement Moderator @ DSL Reports

"wow, some people are thick and clearly can't think for themselves - the solution is to remove warning labels from poisons."