Opened 3 years ago

Closed 2 years ago

#671 closed Bug / Defect (fixed)

Your website seems broken/hacked

Reported by: Warix3 Owned by: Samuli Seppänen
Priority: major Milestone:
Component: Community services Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:


This part of your website looks hacked:

Attachments (1)

Screenshot_5.png (249.4 KB) - added by Warix3 3 years ago.
A screenshot of hacked/unauthorized edit

Download all attachments as: .zip

Change History (7)

Changed 3 years ago by Warix3

Attachment: Screenshot_5.png added

A screenshot of hacked/unauthorized edit

comment:1 Changed 3 years ago by Steffan Karger

Owner: set to Samuli Seppänen
Status: newassigned
Version: 2.2.2

Nothing got hacked. This is a wiki, people can change things.

That said, I reverted the offending change. Samuli, can you block the user that cause the changes? (see rev 17 of the FAQ page)

comment:2 Changed 3 years ago by Warix3

I think you should first review edits people make. If anyone can edit it like that.

comment:3 Changed 3 years ago by Samuli Seppänen

Warix3: yes, anyone can make edits like that. We get maybe one spam every month or so, usually to the Trac front page. I have automated monitoring on that page, so I can revert the bad changes quickly. Then there is the occasional spam ticket.

In any case forcing reviews would, imho, do way more harm than good. For example, you could not have reported this issue without us reviewing it first. And the reviews would take way more time than occasionally reverting a bad change. That said, it would make sense to monitor all the changes made to Trac so that bad ones could be detected and reverted more quickly.

Syzzer: I gave up on blocking these users a while back. I can't recall any of them ever coming back. And even if they did, they could create a new account in a minute or so.

comment:4 Changed 3 years ago by Samuli Seppänen

I tuned the spam filtering setup a bit. Basically you can now ensure that your edits go through by having both your (real) name and email setup properly in "Preferences". The email gets synced automatically periodically from the authentication backend, but the name does not. However, if a user has not actively gone to preferences to add his/her name, then submissions will fail iff akismet reports that the submission is spam. The spamfilter plugin supports tons of other external services we could use, and each of those could further reduce the s.c. "karma" of a submission. There just has not been a pressing need to activate those services, and activation would require a fair amount of work (API key, registration, testing, reading documentation, etc).

However, the Trac server will need to be upgraded soonish, so I think I'll add a bit more spam filtering at that time.

comment:5 Changed 2 years ago by Gert Döring

Component: DocumentationCommunity services

Is this something that still needs work, or can it be closed?

Setting this to "Community services" as "Documentation" is more read to mean "openvpn documentation"

comment:6 Changed 2 years ago by Samuli Seppänen

Resolution: fixed
Status: assignedclosed

Ah, this one. Since this spam incident we did several things to make Trac more robust. We can now detect changes to the Wiki pretty much immediately, and spam filtering is now on a good level (has blocked quite a few attempts). So yes, this can be closed.

Note: See TracTickets for help on using tickets.