Opened 3 years ago
Closed 3 years ago
#671 closed Bug / Defect (fixed)
Your website seems broken/hacked
| Reported by: | Warix3 | Owned by: | Samuli Seppänen |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Community services | Version: | |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
This part of your website looks hacked: https://community.openvpn.net/openvpn/wiki/FAQ
Attachments (1)
Change History (7)
Changed 3 years ago by
| Attachment: | Screenshot_5.png added |
|---|
comment:1 Changed 3 years ago by
| Owner: | set to Samuli Seppänen |
|---|---|
| Status: | new → assigned |
| Version: | 2.2.2 |
Nothing got hacked. This is a wiki, people can change things.
That said, I reverted the offending change. Samuli, can you block the user that cause the changes? (see rev 17 of the FAQ page)
comment:2 Changed 3 years ago by
I think you should first review edits people make. If anyone can edit it like that.
comment:3 Changed 3 years ago by
Warix3: yes, anyone can make edits like that. We get maybe one spam every month or so, usually to the Trac front page. I have automated monitoring on that page, so I can revert the bad changes quickly. Then there is the occasional spam ticket.
In any case forcing reviews would, imho, do way more harm than good. For example, you could not have reported this issue without us reviewing it first. And the reviews would take way more time than occasionally reverting a bad change. That said, it would make sense to monitor all the changes made to Trac so that bad ones could be detected and reverted more quickly.
Syzzer: I gave up on blocking these users a while back. I can't recall any of them ever coming back. And even if they did, they could create a new account in a minute or so.
comment:4 Changed 3 years ago by
I tuned the spam filtering setup a bit. Basically you can now ensure that your edits go through by having both your (real) name and email setup properly in "Preferences". The email gets synced automatically periodically from the authentication backend, but the name does not. However, if a user has not actively gone to preferences to add his/her name, then submissions will fail iff akismet reports that the submission is spam. The spamfilter plugin supports tons of other external services we could use, and each of those could further reduce the s.c. "karma" of a submission. There just has not been a pressing need to activate those services, and activation would require a fair amount of work (API key, registration, testing, reading documentation, etc).
However, the Trac server will need to be upgraded soonish, so I think I'll add a bit more spam filtering at that time.
comment:5 Changed 3 years ago by
| Component: | Documentation → Community services |
|---|
Is this something that still needs work, or can it be closed?
Setting this to "Community services" as "Documentation" is more read to mean "openvpn documentation"
comment:6 Changed 3 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Ah, this one. Since this spam incident we did several things to make Trac more robust. We can now detect changes to the Wiki pretty much immediately, and spam filtering is now on a good level (has blocked quite a few attempts). So yes, this can be closed.
A screenshot of hacked/unauthorized edit