[CKAN-Security] Fwd: ckan.org top page defaced?

chiaki-ishikawa-thunderbird-account chiaki.ishikawa at ubin.jp
Sun Aug 4 01:24:01 UTC 2019


Dear Goce,

Hi, this is Chiaki again.

This is past 10:00 o'clock in Japan.

The https://ckan.org looks good and clean (!)

Google search for "ckan.org" from Yokohama, Japan (about 50 km south of 
Tokyo) does not show the redirected result any more.

Great.

As for 'wp-super-cache/wp-cache.php', I have no idea if new 
vulnerability is known by the security community.
There is a five years old web page I could find about its vulnerability 
in the past:
https://www.inmotionhosting.com/support/news/archived/wordpress-w3-total-cache-and-wp-super-cache-vulnerability

A new vulnerability or vulnerabilities must have been found by the black 
hats in the meantime.
You may want to report the problem to
- the authors of wp-super-cache,
- CERT-like organizations of where you live,
- US-CERT itself, etc. or
- all of the above.

Why would anyone want to deface ckan.org? I can't think of a reason, but 
maybe a good connectivity (bandwidth), a good popularity, and above all
the site that is using the vulnerable cache plugin(s) may be attacked 
randomly.
If my conjecture is correct, there may be more reports of similar 
defacing in the press soon.

I hope you can take a rest now.

Regards,
Chiaki


On 2019/08/04 2:19, Goce Mitevski wrote:
> Hi everyone,
>
> I've been struggling to restore the blogfarm all day long and I think
> I'm finally into some important findings.
>
> I noticed that for the past few hours only one file was continuously
> exploited - wp-super-cache/wp-cache.php. That is a file that belongs
> to the WP Super Cache plugin and this plugin is obviously one possible
> point of attack. I deactivated and removed it across the blogfarm.
> That should close at least one whole and if that's the only one the
> attacker uses, the problems might finally be resolved for good.
>
> In the meantime, I verified the checksums for all WordPress instances
> and plugins across the blogfarm and all is clear.
>
> Do let me know if you don't see search results slowly recovering in
> the next few hours.
>
> Regards,
> Goce
>
> On Sat, Aug 3, 2019 at 6:04 PM chiaki-ishikawa-thunderbird-account
> <chiaki.ishikawa at ubin.jp> wrote:
>> Hi all,
>>
>> It is past midnight, 01:00 am in Japan.
>>
>> I am afraid the redirection of https://ckan.org comes back (!?).
>>
>> I believe whoever has the way to inject the malicious code in the first
>> place has still the
>> path through which the injection was done, or may have a new path or new
>> paths.
>> Hmm...
>>
>>
>> Have you heard any news from other regions of the world?
>> If I am not mistaken, the redirection code may have an intelligence to
>> show me a webpage of a mail order house that is written in Japanese.
>> I am afraid the injection code write may be a skilled person who
>> incorporated the
>> intelligence to check the origin of access and show proper website
>> (i.e., pick up a language spoken in the accessing user's region/country.).
>> That a malicious code shows me a Japanese web page doesn't seem to be a
>> simple coincidence.
>>
>> TIA
>>
>>
>> Chiaki
>>
>>
>> On 2019/08/03 21:46, David Read wrote:
>>> Much appreciated, Goce,
>>> David
>>>
>>> On Fri, 2 Aug 2019 at 20:13, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
>>>> I am working on it and the problems are still not resolved entirely.
>>>>
>>>> Regards,
>>>> Goce
>>>>
>>>> On Fri, Aug 2, 2019 at 6:07 PM David Read
>>>>
>>>> <david.read at hackneyworkshop.com> wrote:
>>>>> Great, thanks Goce.
>>>>>
>>>>> I looked yesterday 2 hours after Chiaki's initial report and also
>>>>> didn't see anything wrong. So I guess Adria and co fixed this quickly.
>>>>>
>>>>> David
>>>>>
>>>>> On Fri, 2 Aug 2019 at 15:23, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
>>>>>> Hi David,
>>>>>>
>>>>>> The malicious code and the filesystem was cleaned in the meantime.
>>>>>> That's why you can't notice anything different at the moment.
>>>>>>
>>>>>> Regards,
>>>>>> Goce Mitevski
>>>>>>
>>>>>> On Fri, Aug 2, 2019 at 4:29 PM David Read
>>>>>> <david.read at hackneyworkshop.com> wrote:
>>>>>>> It looks fine to me. What am I missing?
>>>>>>> David
>>>>>>>
>>>>>>> On Thu, 1 Aug 2019 at 23:19, 石川 千秋 <chiaki.ishikawa at ubin.jp> wrote:
>>>>>>>> Dear Adrià,
>>>>>>>>
>>>>>>>> You are welcome.
>>>>>>>>
>>>>>>>> I am glad that you are aware of the problem.
>>>>>>>> When one of my colleagues approached me late afternoon in Japan saying that
>>>>>>>> something is wrong with ckan.org website and I myself accessed the URL,
>>>>>>>> my jaw dropped.
>>>>>>>>
>>>>>>>> We help some government agencies' open data initiative in Japan.
>>>>>>>> Already, the cabinet office's web page disabled the "Powered by ckan" link.
>>>>>>>> They have the staff man-power to do that. I am afraid my colleagues need to
>>>>>>>> talk with people at Tokyo Metropolitan government and other ckan site
>>>>>>>> people regarding this issue.
>>>>>>>>
>>>>>>>> I am afraid that this event put a rather negative publicity on ckan. That is
>>>>>>>> why I wanted to make sure that CKAN people are aware ASAP.
>>>>>>>>
>>>>>>>> I hope you can resolve the issue at the earliest time.
>>>>>>>>
>>>>>>>> At the same time, I know how you feel.
>>>>>>>> I have done a sysadmin-like job in my previous office, and a self-appointed
>>>>>>>> admin of a rather complex home LAN/WAN.
>>>>>>>>
>>>>>>>> Identifying the issue, cleansing the server if necessary, etc. Ouch...
>>>>>>>> You have my sympathy.
>>>>>>>>
>>>>>>>> I hope the problem is not wide-spread.
>>>>>>>>
>>>>>>>> Good luck (!)
>>>>>>>>
>>>>>>>> Best regards,
>>>>>>>> Chiaki
>>>>>>>>
>>>>>>>>
>>>>>>>> On 2019/08/01 18:10, Adrià Mercader wrote:
>>>>>>>>> Dear Chiaki,
>>>>>>>>>
>>>>>>>>> Thank you very much for your report. We are aware of the issue and working
>>>>>>>>> on a fix.
>>>>>>>>> Apologies for the inconvenience caused.
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>>
>>>>>>>>> Adrià
>>>>>>>>>
>>>>>>>>> On Thu, 1 Aug 2019 at 11:08, 石川 千秋 <chiaki.ishikawa at ubin.jp
>>>>>>>>> <mailto:chiaki.ishikawa at ubin.jp>> wrote:
>>>>>>>>>
>>>>>>>>>       Hi,
>>>>>>>>>
>>>>>>>>>       I finally found this security at ckan.org <mailto:security at ckan.org> address.
>>>>>>>>>
>>>>>>>>>       It looks there is a bug or possibility of web page defacing that
>>>>>>>>>       causes the
>>>>>>>>>       access to https://ckan.org/ automatically get redirected to
>>>>>>>>>       commercial mail order website web pages.
>>>>>>>>>
>>>>>>>>>       In Japan, when I search for "ckan.org <http://ckan.org>" using google,
>>>>>>>>>       the top several hits
>>>>>>>>>       are all about the mail order houses.
>>>>>>>>>
>>>>>>>>>       This was not the case at least a few days ago according to my colleagues.
>>>>>>>>>
>>>>>>>>>       TIA
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>       -------- Forwarded Message --------
>>>>>>>>>       Subject:        ckan.org <http://ckan.org> top page defaced?
>>>>>>>>>       Date:   Thu, 1 Aug 2019 17:33:39 +0900
>>>>>>>>>       From:   ishikawa <chiaki.ishikawa at ubin.jp
>>>>>>>>>       <mailto:chiaki.ishikawa at ubin.jp>>
>>>>>>>>>       To:     webadmin at ckan.org <mailto:webadmin at ckan.org>,
>>>>>>>>>       postmaster at ckan.org <mailto:postmaster at ckan.org>,
>>>>>>>>>       abuse at support.gandi.net <mailto:abuse at support.gandi.net>,
>>>>>>>>>       web-admin at ckan.org <mailto:web-admin at ckan.org>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>       Dear sirs/madams,
>>>>>>>>>
>>>>>>>>>       By now, you must be aware that the top page access to https://ckan.org/ is
>>>>>>>>>       redirected to commercial sites (mail order houses).
>>>>>>>>>
>>>>>>>>>       When I search ckan.org <http://ckan.org> using google, the
>>>>>>>>>       first several entries point to these commercial sites.
>>>>>>>>>
>>>>>>>>>       (However, the subdomains of ckan.org <http://ckan.org> seem to be free
>>>>>>>>>       of such redirection.)
>>>>>>>>>
>>>>>>>>>       I work at an office where open data initiative at regional government
>>>>>>>>>       offices is supported, and
>>>>>>>>>       some people noticed that clicking on "Powered by CKAN" results in
>>>>>>>>>       commercial
>>>>>>>>>       site web pages since this morning (Japan Standard Time).
>>>>>>>>>       The redirection may have happened last evening, but I am not sure.
>>>>>>>>>
>>>>>>>>>       I tried to send a message using a submission page at ckan.org
>>>>>>>>>       <http://ckan.org> that could be
>>>>>>>>>       accessed via, say,
>>>>>>>>>       clicking Contact Us" web page of https://demo.ckan.org/ja/
>>>>>>>>>
>>>>>>>>>       As I mentioned, the subdomain seems to be free from this re-direction
>>>>>>>>>       attack
>>>>>>>>>       (?).
>>>>>>>>>
>>>>>>>>>       Anyway, it would be great if you can alert ckan people since ckan is used
>>>>>>>>>       very widely all over the world by many government offices and people
>>>>>>>>>       tend to
>>>>>>>>>       see "Powered by CKAN"
>>>>>>>>>       logo and may click it. If they see an unrelated commercial site web page
>>>>>>>>>       then, the reputation of CKAN  or confidence in CKAN may diminish a bit :-(
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>       Just thought to let you know about this unfortunate development.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>       I hope you can clear up this issue very soon.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>       Thank you in advance for your attention.
>>>>>>>>>
>>>>>>>>>       Regards,
>>>>>>>>>
>>>>>>>>>       Chiaki Ishikawa
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>       _______________________________________________
>>>>>>>>>       CKAN security
>>>>>>>>>       https://lists.okfn.org/mailman/listinfo/security
>>>>>>>>>       https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>>>>>>>
>>>>>>>>>       Repo: https://github.com/ckan/ckan-security
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> CKAN security
>>>>>>>> https://lists.okfn.org/mailman/listinfo/security
>>>>>>>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>>>>>>
>>>>>>>> Repo: https://github.com/ckan/ckan-security
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Goce Mitevski
>>>>>> Chief Design Officer,
>>>>>> Keitaro Inc.
>>>>>>
>>>>>> goce.mitevski at keitaro.com
>>>>>> http://www.keitaro.com/
>>>>
>>>> --
>>>>
>>>> Goce Mitevski
>>>> Chief Design Officer,
>>>> Keitaro Inc.
>>>>
>>>> goce.mitevski at keitaro.com
>>>> http://www.keitaro.com/
>




More information about the Security mailing list