[Moin-user] Cracked...advice sought on how to proceed
Paul Boddie
paul at boddie.org.uk
Sun Jun 16 17:24:30 EDT 2013
On Sunday 16 June 2013 19:09:36 Desmond Rivet wrote:
> Hi all,
>
> I'm running a personal MoinMoin wiki. I've recently discovered that I've
> been cracked. I'm finding lots of entries in the data/pages directory that
> look like:
>
> zupeginwuxi397/edit-log
> 6pm_Offer_Coupon_Codes/edit-log
>
> All the edit-log files (that I've checked) appear to be empty. The file
> also appears to be the only contents of these bogus pages/directories. As
> I said, I have a ton of these in my data/pages folder. And it's been going
> on for a while, judging by the backup I've looked at.
These are attempts to create pages, and I think that a bug was reported
recently about such denied attempts still creating files, even though the
pages will not be created:
http://comments.gmane.org/gmane.comp.web.wiki.moin.general/8998
The following fix was described:
http://hg.moinmo.in/moin/1.9/rev/6489ec33874d
> I'm not sure how it happened or what the intent was. I'm not sure what
> exactly has been compromised. Can I just change my login password and get
> a better SSL certificate? (I always logged in via https, but maybe the
> certificate was compromised).
Provided that you're running a fixed version of Moin that isn't subject to
vulnerabilities, I rather suspect that you're seeing the effect of the
problem mentioned above.
> That being said, all is not lost. It's fairly easy for me to pick out my
> own pages from the mess - looking for folders that have a "revisions"
> subfolder seems to do the trick.
>
> So I'm seeking some advice on how to proceed. Can I simply rm -rf the
> bogus directories from the file system? If I do this, will I have to
> update some other cache file?
I don't want to give concrete advice here, but I imagine that you could remove
the bogus directories. If Moin has a record of the pages elsewhere, it will
probably just ignore them if it comes across something like a log entry
referencing them. Maybe the despam action helps in this situation, but I
wouldn't know.
> Should I re-install MoinMoin? If I do, is there a way to re-import all my
> original pages into the new wiki (assuming I pulled out all the pages from
> my old wiki) ?
I wouldn't immediately re-install Moin. It might be interesting to know what
kind of authentication measures you provide, whether you have a restrictive
ACL policy, and whether the "newaccount" action is enabled. Generally, to
prevent bogus edits you can require users to be registered in order to make
edits, you can thereby require authentication, and you can forbid new
accounts by putting the following in the class in your configuration file:
actions_excluded = ["newaccount"] # plus any others you exclude
At that point, maybe the only new files that get created are session files and
cache files, as far as I can tell.
Paul
More information about the Moin-user
mailing list