Page MenuHomeMiraheze

Active SQL injection attack against some wikis
Closed, ResolvedPublic

Description

We noticed earlier high load and I/O on some servers and attempted unsuccessfully to block the UA.

We stayed stable all day but when discussing blocking them with @Paladox, @Reception123 posted:

https://toxicfandomsandhatedoms.miraheze.org/w/index.php?title=Pok%C3%A9mon_Sword_and_Shield_Hatedom&curid=1518+AND+(SELECT+8041+FROM(SELECT+COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT+(CASE+WHEN+(8041%3D8041)+THEN+1+ELSE+0+END)),0x3a70687a3a,floor(rand(0)%2A2))x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)&diff=120112&oldid=119780

That's SQL, someone's trying (and from the urls I've check this morning but not in depth failing) to do an SQL injection attack.

I see entries straight from midnight for the IP, ending 16:47:44 on mw5. Mitigations were merged to puppet @ ~16:40 - A grep for "SELECT" shows the same picture.

Current additional mitigations are:

  • Connections without a UserAgent or where UA = - are being 403'd
  • A temporary hack has been introduced to phabricator to allow OAUTH to work and use a valid UA.

Event Timeline

RhinosF1 triaged this task as Unbreak Now! priority.Aug 3 2020, 16:43
RhinosF1 created this task.
RhinosF1 created this object in space Restricted Space.
RhinosF1 created this object with visibility "acl*security (Project)".

Noting that @Paladox has now restricted them to 403.

Since Paladox is on holiday. SPF doing a review is probably best

RhinosF1 added a comment.Aug 3 2020, 17:13

A quick google shows a few varnish features that can prevent and 403 any attempts. Maybe we should look at that closer?

RhinosF1 renamed this task from Active SQL injection attack against some wikis to SQL injection attack against some wikis ending 03-08-2020 .Aug 3 2020, 21:29
RhinosF1 updated the task description. (Show Details)
RhinosF1 renamed this task from SQL injection attack against some wikis ending 03-08-2020 to Active SQL injection attack against some wikis.Aug 4 2020, 08:30

They're back, See sre@ email

RhinosF1 added a comment.Aug 4 2020, 09:19

Abuse report filed with all 3 orgs hosting they're using

Southparkfan lowered the priority of this task from Unbreak Now! to High.Aug 6 2020, 21:17

Not observing now, monitoring phase for now.,

Southparkfan closed this task as Resolved.Aug 13 2020, 20:03
Southparkfan shifted this object from the Restricted Space space to the S1 Public space.
Southparkfan changed the visibility from "acl*security (Project)" to "Public (No Login Required)".