[CKAN-Security] Fwd: ckan.org top page defaced?
chiaki-ishikawa-thunderbird-account
chiaki.ishikawa at ubin.jp
Sat Aug 3 16:04:05 UTC 2019
Hi all,
It is past midnight, 01:00 am in Japan.
I am afraid the redirection of https://ckan.org comes back (!?).
I believe whoever has the way to inject the malicious code in the first
place has still the
path through which the injection was done, or may have a new path or new
paths.
Hmm...
Have you heard any news from other regions of the world?
If I am not mistaken, the redirection code may have an intelligence to
show me a webpage of a mail order house that is written in Japanese.
I am afraid the injection code write may be a skilled person who
incorporated the
intelligence to check the origin of access and show proper website
(i.e., pick up a language spoken in the accessing user's region/country.).
That a malicious code shows me a Japanese web page doesn't seem to be a
simple coincidence.
TIA
Chiaki
On 2019/08/03 21:46, David Read wrote:
> Much appreciated, Goce,
> David
>
> On Fri, 2 Aug 2019 at 20:13, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
>> I am working on it and the problems are still not resolved entirely.
>>
>> Regards,
>> Goce
>>
>> On Fri, Aug 2, 2019 at 6:07 PM David Read
>>
>> <david.read at hackneyworkshop.com> wrote:
>>> Great, thanks Goce.
>>>
>>> I looked yesterday 2 hours after Chiaki's initial report and also
>>> didn't see anything wrong. So I guess Adria and co fixed this quickly.
>>>
>>> David
>>>
>>> On Fri, 2 Aug 2019 at 15:23, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
>>>> Hi David,
>>>>
>>>> The malicious code and the filesystem was cleaned in the meantime.
>>>> That's why you can't notice anything different at the moment.
>>>>
>>>> Regards,
>>>> Goce Mitevski
>>>>
>>>> On Fri, Aug 2, 2019 at 4:29 PM David Read
>>>> <david.read at hackneyworkshop.com> wrote:
>>>>> It looks fine to me. What am I missing?
>>>>> David
>>>>>
>>>>> On Thu, 1 Aug 2019 at 23:19, 石川 千秋 <chiaki.ishikawa at ubin.jp> wrote:
>>>>>> Dear Adrià,
>>>>>>
>>>>>> You are welcome.
>>>>>>
>>>>>> I am glad that you are aware of the problem.
>>>>>> When one of my colleagues approached me late afternoon in Japan saying that
>>>>>> something is wrong with ckan.org website and I myself accessed the URL,
>>>>>> my jaw dropped.
>>>>>>
>>>>>> We help some government agencies' open data initiative in Japan.
>>>>>> Already, the cabinet office's web page disabled the "Powered by ckan" link.
>>>>>> They have the staff man-power to do that. I am afraid my colleagues need to
>>>>>> talk with people at Tokyo Metropolitan government and other ckan site
>>>>>> people regarding this issue.
>>>>>>
>>>>>> I am afraid that this event put a rather negative publicity on ckan. That is
>>>>>> why I wanted to make sure that CKAN people are aware ASAP.
>>>>>>
>>>>>> I hope you can resolve the issue at the earliest time.
>>>>>>
>>>>>> At the same time, I know how you feel.
>>>>>> I have done a sysadmin-like job in my previous office, and a self-appointed
>>>>>> admin of a rather complex home LAN/WAN.
>>>>>>
>>>>>> Identifying the issue, cleansing the server if necessary, etc. Ouch...
>>>>>> You have my sympathy.
>>>>>>
>>>>>> I hope the problem is not wide-spread.
>>>>>>
>>>>>> Good luck (!)
>>>>>>
>>>>>> Best regards,
>>>>>> Chiaki
>>>>>>
>>>>>>
>>>>>> On 2019/08/01 18:10, Adrià Mercader wrote:
>>>>>>> Dear Chiaki,
>>>>>>>
>>>>>>> Thank you very much for your report. We are aware of the issue and working
>>>>>>> on a fix.
>>>>>>> Apologies for the inconvenience caused.
>>>>>>>
>>>>>>> Best regards,
>>>>>>>
>>>>>>> Adrià
>>>>>>>
>>>>>>> On Thu, 1 Aug 2019 at 11:08, 石川 千秋 <chiaki.ishikawa at ubin.jp
>>>>>>> <mailto:chiaki.ishikawa at ubin.jp>> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I finally found this security at ckan.org <mailto:security at ckan.org> address.
>>>>>>>
>>>>>>> It looks there is a bug or possibility of web page defacing that
>>>>>>> causes the
>>>>>>> access to https://ckan.org/ automatically get redirected to
>>>>>>> commercial mail order website web pages.
>>>>>>>
>>>>>>> In Japan, when I search for "ckan.org <http://ckan.org>" using google,
>>>>>>> the top several hits
>>>>>>> are all about the mail order houses.
>>>>>>>
>>>>>>> This was not the case at least a few days ago according to my colleagues.
>>>>>>>
>>>>>>> TIA
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -------- Forwarded Message --------
>>>>>>> Subject: ckan.org <http://ckan.org> top page defaced?
>>>>>>> Date: Thu, 1 Aug 2019 17:33:39 +0900
>>>>>>> From: ishikawa <chiaki.ishikawa at ubin.jp
>>>>>>> <mailto:chiaki.ishikawa at ubin.jp>>
>>>>>>> To: webadmin at ckan.org <mailto:webadmin at ckan.org>,
>>>>>>> postmaster at ckan.org <mailto:postmaster at ckan.org>,
>>>>>>> abuse at support.gandi.net <mailto:abuse at support.gandi.net>,
>>>>>>> web-admin at ckan.org <mailto:web-admin at ckan.org>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Dear sirs/madams,
>>>>>>>
>>>>>>> By now, you must be aware that the top page access to https://ckan.org/ is
>>>>>>> redirected to commercial sites (mail order houses).
>>>>>>>
>>>>>>> When I search ckan.org <http://ckan.org> using google, the
>>>>>>> first several entries point to these commercial sites.
>>>>>>>
>>>>>>> (However, the subdomains of ckan.org <http://ckan.org> seem to be free
>>>>>>> of such redirection.)
>>>>>>>
>>>>>>> I work at an office where open data initiative at regional government
>>>>>>> offices is supported, and
>>>>>>> some people noticed that clicking on "Powered by CKAN" results in
>>>>>>> commercial
>>>>>>> site web pages since this morning (Japan Standard Time).
>>>>>>> The redirection may have happened last evening, but I am not sure.
>>>>>>>
>>>>>>> I tried to send a message using a submission page at ckan.org
>>>>>>> <http://ckan.org> that could be
>>>>>>> accessed via, say,
>>>>>>> clicking Contact Us" web page of https://demo.ckan.org/ja/
>>>>>>>
>>>>>>> As I mentioned, the subdomain seems to be free from this re-direction
>>>>>>> attack
>>>>>>> (?).
>>>>>>>
>>>>>>> Anyway, it would be great if you can alert ckan people since ckan is used
>>>>>>> very widely all over the world by many government offices and people
>>>>>>> tend to
>>>>>>> see "Powered by CKAN"
>>>>>>> logo and may click it. If they see an unrelated commercial site web page
>>>>>>> then, the reputation of CKAN or confidence in CKAN may diminish a bit :-(
>>>>>>>
>>>>>>>
>>>>>>> Just thought to let you know about this unfortunate development.
>>>>>>>
>>>>>>>
>>>>>>> I hope you can clear up this issue very soon.
>>>>>>>
>>>>>>>
>>>>>>> Thank you in advance for your attention.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Chiaki Ishikawa
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> CKAN security
>>>>>>> https://lists.okfn.org/mailman/listinfo/security
>>>>>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>>>>>
>>>>>>> Repo: https://github.com/ckan/ckan-security
>>>>>>>
>>>>>> _______________________________________________
>>>>>> CKAN security
>>>>>> https://lists.okfn.org/mailman/listinfo/security
>>>>>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>>>>
>>>>>> Repo: https://github.com/ckan/ckan-security
>>>>
>>>>
>>>> --
>>>>
>>>> Goce Mitevski
>>>> Chief Design Officer,
>>>> Keitaro Inc.
>>>>
>>>> goce.mitevski at keitaro.com
>>>> http://www.keitaro.com/
>>
>>
>> --
>>
>> Goce Mitevski
>> Chief Design Officer,
>> Keitaro Inc.
>>
>> goce.mitevski at keitaro.com
>> http://www.keitaro.com/
>
More information about the Security
mailing list