[CKAN-Security] Fwd: ckan.org top page defaced?

石川 千秋 chiaki.ishikawa at ubin.jp
Mon Aug 5 08:10:29 UTC 2019


Dear Goce,

On 2019/08/05 16:26, Goce Mitevski wrote:
> Hi Chiaki,
>
> Thanks for the update.
>
> Are things still looking good and clean on your side?

Yes, they are looking good and clean now at 17:00 Japanese Standard Time.

Google cache are now clean, too. No more result that shows mail order houses
when  I search "ckan.org" without quotes.

>> A new vulnerability or vulnerabilities must have been found by the black hats in the meantime.
> Maybe. I did some research and I can't find anything other than the
> vulnerability reported in 2013. I will for sure report this.|

Right, I also could find only the 2013 vulnerability.

Your reporting of the  problem to relevant parties will be appreciated by
many (some blogs mention millions of websites and I suspect it is true).

Again, thank you for looking into the matter, and I hope you could take a
nice rest last night.

> Regards,
> Goce Mitevski
>
BTW, I noticed your affiliation, Keitaro Inc.
That name sounds very Japanese (I mean it *is* a Japanese boy's name).

Is the company in Japan? No, I don't think so. If so, you didn't need to ask
me to check google cache as seen by me in Japan.
If the name has a meaning in other language, what a coincidence (!)

By the way, I was looking at Google search result and noticed this link on
the 2nd page of the search result (searching for "ckan.org").

https://ckan-tokyochallenge.odpt.org/

This is related to a series of open data contests  which my employer has
helped to organize  for the last couple of years
as an active member of the Association for Open Data of Public Transportation.

The current contest is the third installation now.
https://tokyochallenge.odpt.org/en/index.html

As the name "https://ckan-tokyochallenge.odpt.org/" suggests, our engineers
have used ckan as the front end to publish open data.

Thank you for the great package which you and your colleagues have made
available to the world community.

I hope the last week's incident has not impacted your operation too much.
But obviously it consumed part of your weekend... Tough luck.

Too be honest, I was a bit embarrassed to see that the mail order house web
page has a Japanese content when I saw it. Maybe I should have created the
screen capture (!) I forgot. Ouch.  I am not sure if the perpetrator of the
malware injection is from Japan or not.

If I can be of any further help, please let me know.
I can give you moral support at least :-)

Best Regards,

Chiaki Ishikawa

Senior Researcher/International Liaison
YRP Ubiquitous Networking Laboratory
https://www.ubin.jp/

(Sorry the web is not very verbose in English.)


> On Sun, Aug 4, 2019 at 3:24 AM chiaki-ishikawa-thunderbird-account
> <chiaki.ishikawa at ubin.jp> wrote:
>> Dear Goce,
>>
>> Hi, this is Chiaki again.
>>
>> This is past 10:00 o'clock in Japan.
>>
>> The https://ckan.org looks good and clean (!)
>>
>> Google search for "ckan.org" from Yokohama, Japan (about 50 km south of
>> Tokyo) does not show the redirected result any more.
>>
>> Great.
>>
>> As for 'wp-super-cache/wp-cache.php', I have no idea if new
>> vulnerability is known by the security community.
>> There is a five years old web page I could find about its vulnerability
>> in the past:
>> https://www.inmotionhosting.com/support/news/archived/wordpress-w3-total-cache-and-wp-super-cache-vulnerability
>>
>> A new vulnerability or vulnerabilities must have been found by the black
>> hats in the meantime.
>> You may want to report the problem to
>> - the authors of wp-super-cache,
>> - CERT-like organizations of where you live,
>> - US-CERT itself, etc. or
>> - all of the above.
>>
>> Why would anyone want to deface ckan.org? I can't think of a reason, but
>> maybe a good connectivity (bandwidth), a good popularity, and above all
>> the site that is using the vulnerable cache plugin(s) may be attacked
>> randomly.
>> If my conjecture is correct, there may be more reports of similar
>> defacing in the press soon.
>>
>> I hope you can take a rest now.
>>
>> Regards,
>> Chiaki
>>
>>
>> On 2019/08/04 2:19, Goce Mitevski wrote:
>>> Hi everyone,
>>>
>>> I've been struggling to restore the blogfarm all day long and I think
>>> I'm finally into some important findings.
>>>
>>> I noticed that for the past few hours only one file was continuously
>>> exploited - wp-super-cache/wp-cache.php. That is a file that belongs
>>> to the WP Super Cache plugin and this plugin is obviously one possible
>>> point of attack. I deactivated and removed it across the blogfarm.
>>> That should close at least one whole and if that's the only one the
>>> attacker uses, the problems might finally be resolved for good.
>>>
>>> In the meantime, I verified the checksums for all WordPress instances
>>> and plugins across the blogfarm and all is clear.
>>>
>>> Do let me know if you don't see search results slowly recovering in
>>> the next few hours.
>>>
>>> Regards,
>>> Goce
>>>
>>>
>>> On Sat, Aug 3, 2019 at 6:04 PM chiaki-ishikawa-thunderbird-account
>>> <chiaki.ishikawa at ubin.jp> wrote:
>>>> Hi all,
>>>>
>>>> It is past midnight, 01:00 am in Japan.
>>>>
>>>> I am afraid the redirection of https://ckan.org comes back (!?).
>>>>
>>>> I believe whoever has the way to inject the malicious code in the first
>>>> place has still the
>>>> path through which the injection was done, or may have a new path or new
>>>> paths.
>>>> Hmm...
>>>>
>>>>
>>>> Have you heard any news from other regions of the world?
>>>> If I am not mistaken, the redirection code may have an intelligence to
>>>> show me a webpage of a mail order house that is written in Japanese.
>>>> I am afraid the injection code write may be a skilled person who
>>>> incorporated the
>>>> intelligence to check the origin of access and show proper website
>>>> (i.e., pick up a language spoken in the accessing user's region/country.).
>>>> That a malicious code shows me a Japanese web page doesn't seem to be a
>>>> simple coincidence.
>>>>
>>>> TIA
>>>>
>>>>
>>>> Chiaki
>>>>
>>>>
>>>> On 2019/08/03 21:46, David Read wrote:
>>>>> Much appreciated, Goce,
>>>>> David
>>>>>
>>>>> On Fri, 2 Aug 2019 at 20:13, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
>>>>>> I am working on it and the problems are still not resolved entirely.
>>>>>>
>>>>>> Regards,
>>>>>> Goce
>>>>>>
>>>>>> On Fri, Aug 2, 2019 at 6:07 PM David Read
>>>>>>
>>>>>> <david.read at hackneyworkshop.com> wrote:
>>>>>>> Great, thanks Goce.
>>>>>>>
>>>>>>> I looked yesterday 2 hours after Chiaki's initial report and also
>>>>>>> didn't see anything wrong. So I guess Adria and co fixed this quickly.
>>>>>>>
>>>>>>> David
>>>>>>>
>>>>>>> On Fri, 2 Aug 2019 at 15:23, Goce Mitevski <goce.mitevski at keitaro.com> wrote:
>>>>>>>> Hi David,
>>>>>>>>
>>>>>>>> The malicious code and the filesystem was cleaned in the meantime.
>>>>>>>> That's why you can't notice anything different at the moment.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Goce Mitevski
>>>>>>>>
>>>>>>>> On Fri, Aug 2, 2019 at 4:29 PM David Read
>>>>>>>> <david.read at hackneyworkshop.com> wrote:
>>>>>>>>> It looks fine to me. What am I missing?
>>>>>>>>> David
>>>>>>>>>
>>>>>>>>> On Thu, 1 Aug 2019 at 23:19, 石川 千秋 <chiaki.ishikawa at ubin.jp> wrote:
>>>>>>>>>> Dear Adrià,
>>>>>>>>>>
>>>>>>>>>> You are welcome.
>>>>>>>>>>
>>>>>>>>>> I am glad that you are aware of the problem.
>>>>>>>>>> When one of my colleagues approached me late afternoon in Japan saying that
>>>>>>>>>> something is wrong with ckan.org website and I myself accessed the URL,
>>>>>>>>>> my jaw dropped.
>>>>>>>>>>
>>>>>>>>>> We help some government agencies' open data initiative in Japan.
>>>>>>>>>> Already, the cabinet office's web page disabled the "Powered by ckan" link.
>>>>>>>>>> They have the staff man-power to do that. I am afraid my colleagues need to
>>>>>>>>>> talk with people at Tokyo Metropolitan government and other ckan site
>>>>>>>>>> people regarding this issue.
>>>>>>>>>>
>>>>>>>>>> I am afraid that this event put a rather negative publicity on ckan. That is
>>>>>>>>>> why I wanted to make sure that CKAN people are aware ASAP.
>>>>>>>>>>
>>>>>>>>>> I hope you can resolve the issue at the earliest time.
>>>>>>>>>>
>>>>>>>>>> At the same time, I know how you feel.
>>>>>>>>>> I have done a sysadmin-like job in my previous office, and a self-appointed
>>>>>>>>>> admin of a rather complex home LAN/WAN.
>>>>>>>>>>
>>>>>>>>>> Identifying the issue, cleansing the server if necessary, etc. Ouch...
>>>>>>>>>> You have my sympathy.
>>>>>>>>>>
>>>>>>>>>> I hope the problem is not wide-spread.
>>>>>>>>>>
>>>>>>>>>> Good luck (!)
>>>>>>>>>>
>>>>>>>>>> Best regards,
>>>>>>>>>> Chiaki
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 2019/08/01 18:10, Adrià Mercader wrote:
>>>>>>>>>>> Dear Chiaki,
>>>>>>>>>>>
>>>>>>>>>>> Thank you very much for your report. We are aware of the issue and working
>>>>>>>>>>> on a fix.
>>>>>>>>>>> Apologies for the inconvenience caused.
>>>>>>>>>>>
>>>>>>>>>>> Best regards,
>>>>>>>>>>>
>>>>>>>>>>> Adrià
>>>>>>>>>>>
>>>>>>>>>>> On Thu, 1 Aug 2019 at 11:08, 石川 千秋 <chiaki.ishikawa at ubin.jp
>>>>>>>>>>> <mailto:chiaki.ishikawa at ubin.jp>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>       Hi,
>>>>>>>>>>>
>>>>>>>>>>>       I finally found this security at ckan.org <mailto:security at ckan.org> address.
>>>>>>>>>>>
>>>>>>>>>>>       It looks there is a bug or possibility of web page defacing that
>>>>>>>>>>>       causes the
>>>>>>>>>>>       access to https://ckan.org/ automatically get redirected to
>>>>>>>>>>>       commercial mail order website web pages.
>>>>>>>>>>>
>>>>>>>>>>>       In Japan, when I search for "ckan.org <http://ckan.org>" using google,
>>>>>>>>>>>       the top several hits
>>>>>>>>>>>       are all about the mail order houses.
>>>>>>>>>>>
>>>>>>>>>>>       This was not the case at least a few days ago according to my colleagues.
>>>>>>>>>>>
>>>>>>>>>>>       TIA
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>       -------- Forwarded Message --------
>>>>>>>>>>>       Subject:        ckan.org <http://ckan.org> top page defaced?
>>>>>>>>>>>       Date:   Thu, 1 Aug 2019 17:33:39 +0900
>>>>>>>>>>>       From:   ishikawa <chiaki.ishikawa at ubin.jp
>>>>>>>>>>>       <mailto:chiaki.ishikawa at ubin.jp>>
>>>>>>>>>>>       To:     webadmin at ckan.org <mailto:webadmin at ckan.org>,
>>>>>>>>>>>       postmaster at ckan.org <mailto:postmaster at ckan.org>,
>>>>>>>>>>>       abuse at support.gandi.net <mailto:abuse at support.gandi.net>,
>>>>>>>>>>>       web-admin at ckan.org <mailto:web-admin at ckan.org>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>       Dear sirs/madams,
>>>>>>>>>>>
>>>>>>>>>>>       By now, you must be aware that the top page access to https://ckan.org/ is
>>>>>>>>>>>       redirected to commercial sites (mail order houses).
>>>>>>>>>>>
>>>>>>>>>>>       When I search ckan.org <http://ckan.org> using google, the
>>>>>>>>>>>       first several entries point to these commercial sites.
>>>>>>>>>>>
>>>>>>>>>>>       (However, the subdomains of ckan.org <http://ckan.org> seem to be free
>>>>>>>>>>>       of such redirection.)
>>>>>>>>>>>
>>>>>>>>>>>       I work at an office where open data initiative at regional government
>>>>>>>>>>>       offices is supported, and
>>>>>>>>>>>       some people noticed that clicking on "Powered by CKAN" results in
>>>>>>>>>>>       commercial
>>>>>>>>>>>       site web pages since this morning (Japan Standard Time).
>>>>>>>>>>>       The redirection may have happened last evening, but I am not sure.
>>>>>>>>>>>
>>>>>>>>>>>       I tried to send a message using a submission page at ckan.org
>>>>>>>>>>>       <http://ckan.org> that could be
>>>>>>>>>>>       accessed via, say,
>>>>>>>>>>>       clicking Contact Us" web page of https://demo.ckan.org/ja/
>>>>>>>>>>>
>>>>>>>>>>>       As I mentioned, the subdomain seems to be free from this re-direction
>>>>>>>>>>>       attack
>>>>>>>>>>>       (?).
>>>>>>>>>>>
>>>>>>>>>>>       Anyway, it would be great if you can alert ckan people since ckan is used
>>>>>>>>>>>       very widely all over the world by many government offices and people
>>>>>>>>>>>       tend to
>>>>>>>>>>>       see "Powered by CKAN"
>>>>>>>>>>>       logo and may click it. If they see an unrelated commercial site web page
>>>>>>>>>>>       then, the reputation of CKAN  or confidence in CKAN may diminish a bit :-(
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>       Just thought to let you know about this unfortunate development.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>       I hope you can clear up this issue very soon.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>       Thank you in advance for your attention.
>>>>>>>>>>>
>>>>>>>>>>>       Regards,
>>>>>>>>>>>
>>>>>>>>>>>       Chiaki Ishikawa
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>       _______________________________________________
>>>>>>>>>>>       CKAN security
>>>>>>>>>>>       https://lists.okfn.org/mailman/listinfo/security
>>>>>>>>>>>       https://lists.okfn.org/mailman/options/security/adria.mercader%40okfn.org
>>>>>>>>>>>
>>>>>>>>>>>       Repo: https://github.com/ckan/ckan-security
>>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> CKAN security
>>>>>>>>>> https://lists.okfn.org/mailman/listinfo/security
>>>>>>>>>> https://lists.okfn.org/mailman/options/security/david.read%40hackneyworkshop.com
>>>>>>>>>>
>>>>>>>>>> Repo: https://github.com/ckan/ckan-security
>>>>>>>> --
>>>>>>>>
>>>>>>>> Goce Mitevski
>>>>>>>> Chief Design Officer,
>>>>>>>> Keitaro Inc.
>>>>>>>>
>>>>>>>> goce.mitevski at keitaro.com
>>>>>>>> http://www.keitaro.com/
>>>>>> --
>>>>>>
>>>>>> Goce Mitevski
>>>>>> Chief Design Officer,
>>>>>> Keitaro Inc.
>>>>>>
>>>>>> goce.mitevski at keitaro.com
>>>>>> http://www.keitaro.com/
>



More information about the Security mailing list