Opened 6 months ago

Closed 5 months ago

#34175 closed defect (fixed)

spam attack on trac

Reported by: anarcat Owned by: qbi
Priority: Immediate Milestone:
Component: Internal Services/Service - trac Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

a few tickets from the cypherpunks account are being vandalized with obscene content and spam.

Child Tickets

Change History (33)

comment:1 Changed 6 months ago by anarcat

Owner: changed from qbi to anarcat
Status: newaccepted

i have removed the following permissions from the GRP_cypherpunks role: TICKET_APPEND and TICKET_CREATE.

i will see about removing the offensive content permanently.

comment:2 Changed 6 months ago by anarcat

i have removed tickets #34168, #34170 and deleted user onionfap

comment:3 Changed 6 months ago by anarcat

i removed #34172 which was also spammed by the cypherpunks account.

next step is to look at the timeline and see what other damage was done and revert that. :/

comment:4 Changed 6 months ago by cypherpunks

cypherpunks can still post comments and edit old ones.

comment:6 Changed 6 months ago by cypherpunks

(merged to comment 5)

Last edited 6 months ago by cypherpunks (previous) (diff)

comment:7 Changed 6 months ago by anarcat

cypherpunks can still post comments and edit old ones.

i disabled the cypherpunks account until we can get a hold of this.

comment:8 Changed 6 months ago by anarcat

Owner: changed from anarcat to qbi
Status: acceptedassigned

i'll let qbi followup on the cleanup and next steps

comment:9 in reply to:  7 ; Changed 6 months ago by ϲypherpunks

Replying to anarcat:

cypherpunks can still post comments and edit old ones.

i disabled the cypherpunks account until we can get a hold of this.

thank you for taking care of this abuse. sad to see this is needed. but best choice atm.
(excuse me, don't get tricked by my account name, I'm kind user. i created this because my comments was edited)

looks like cleaned offensive content cleared.
still there are a lot of changes of comments and trac wiki pages in past over weeks with interval increasing.

as the account now got disabled, i cannot log into it and revert this. where or how to report? there is something around 100 comments affected 5 pages.

shall i list them in a new ticket or here? would someone revert this things? wiki page hard to revert because trac detect spam (limit exceeded) if try to do so. comment only can revert by account of commenter and since account disabled, this not possible.

i have spotted at least those following:

comments in tickets search for "edited by cypherpunks":
#18361
#23840
#24351
#33010
#34159
#34173

wiki:
org/doc/ListOfServicesBlockingTor
org/projects/WeSupportTor
doc/CloudflareSites
org/projects/DontBlockMe

comment:11 Changed 6 months ago by ϲypherpunks

Ok. Pages can get reverted by track history without loosing formatting. But take long time because of link limit can only revert 2 lines per page edit.

Comments can't restore but quote versions of track diff history. You find comment history link underevery comment below the link DIFF last edited ago.... if there was multilple edits you can go back in time by selecting previous.

If restore through quotes. Order of conversation. Get lost.

At least nothing really lost. Just hidden by first look.

comment:12 Changed 6 months ago by cypherpunk1

But take long time because of link limit can only revert 2 lines per page edit.

This trac is very annoying. You can't post more than 5(?) links.

comment:13 Changed 6 months ago by cypherpunk1

Submission rejected as potential spam
    Maximum number of external links per post exceeded

https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor?action=edit&version=461

What now?

comment:14 in reply to:  13 ; Changed 6 months ago by qbi

Replying to cypherpunk1:

Submission rejected as potential spam
    Maximum number of external links per post exceeded

https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor?action=edit&version=461
What now?

If you want you can copy the text to a pad and paste the link to the pad here. I can make the change in trac for you.

comment:15 in reply to:  14 Changed 6 months ago by cypherpunk1

Replying to qbi:

Replying to cypherpunk1:
If you want you can copy the text to a pad and paste the link to the pad here. I can make the change in trac for you.

Version 461 looks fine to me. Can you revert it to version 461?

The text can be retrieved from
https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor?action=edit&version=461

462 25 hours cypherpunks (vandalized)
461 26 hours cypherpunks (last good)

i disabled the cypherpunks account

How long are you going to lock it? Other cpunks might wondering why they can't log in if they didn't logged in recently.

comment:16 in reply to:  9 Changed 6 months ago by qbi

Replying to ϲypherpunks:

wiki:
org/doc/ListOfServicesBlockingTor
org/projects/WeSupportTor
doc/CloudflareSites
org/projects/DontBlockMe

I resetted all of the wiki pages. Resetting the tickets requires a bit more work.

comment:17 Changed 6 months ago by qbi

As far as I can tell all vandalism is now resetted.

comment:18 Changed 6 months ago by ϲypherpunks

Thanks ! wiki looks now like nothing happend. The years of comments also. Great.

Last edited 6 months ago by ϲypherpunks (previous) (diff)

comment:19 Changed 6 months ago by cypherpunk1

wiki looks now like nothing happend.

My contrib was defaced again. This is second time. I'm not going to waste my time on this.

comment:20 Changed 6 months ago by cypherpunk1

Last edited 6 months ago by cypherpunk1 (previous) (diff)

comment:22 Changed 6 months ago by cypherpunk1

Last edited 6 months ago by cypherpunk1 (previous) (diff)

comment:23 Changed 6 months ago by qbi

Thanks a lot. User is removed and pages are reverted.

comment:24 Changed 6 months ago by cypherpunk1

Vandalism here and there, revert here and there. I've no idea which version is real now...

  1. Would you please revert this to Version 149?

https://trac.torproject.org/projects/tor/wiki/doc/tgcw_people_voice?action=history

  1. I suggest you add following "keyword" to trac denylist so the spammer can't post same illegal images.
-sex
videocp (domain part of .onion)
bonanza
lolip
ipor
://fuck
  1. Close thse as duplicate of 34175?

https://trac.torproject.org/projects/tor/ticket/34166
https://trac.torproject.org/projects/tor/ticket/34169

  1. Disallow non-alphanumeric !([a-zA-Z0-9]{1,255}) username. Related https://trac.torproject.org/projects/tor/ticket/23771
Last edited 6 months ago by cypherpunk1 (previous) (diff)

comment:25 Changed 6 months ago by ϲypherpunks

Add here: wiki:BadContent ?

Replying to cypherpunk1:

  1. Disallow non-alphanumeric !([a-zA-Z0-9]{1,255}) username. Related https://trac.torproject.org/projects/tor/ticket/23771

No, don't disallow my existence please.

Last edited 6 months ago by ϲypherpunks (previous) (diff)

comment:26 Changed 6 months ago by ϲypherpunks

@qbi

The copy paste to bad content missed a line.
The (part of onion) Line needs change into a pattern. Not working as it is

Xxx*.onion

comment:27 in reply to:  26 Changed 6 months ago by qbi

Replying to ϲypherpunks:

The copy paste to bad content missed a line.

Thanks. I changed it.

comment:28 in reply to:  24 Changed 6 months ago by qbi

Replying to cypherpunk1:

  1. Would you please revert this to Version 149?

https://trac.torproject.org/projects/tor/wiki/doc/tgcw_people_voice?action=history

[X] Done.

  1. I suggest you add following "keyword" to trac denylist so the spammer can't post same illegal images.

[X] Done.

  1. Close thse as duplicate of 34175?

[X] Done.

  1. Disallow non-alphanumeric !([a-zA-Z0-9]{1,255}) username. Related https://trac.torproject.org/projects/tor/ticket/23771

I need to investigate how to do it correctly. It will probably take some more time.

Thanks for the ticket.

comment:29 Changed 6 months ago by cypherpunk1

cypherpunks

No, don't disallow my existence please.

I'm not talking about you. I was talking about username "#BuildForThis" who've replaced my contributions.

ϲypherpunks

Looking at your username, it is very hard to distinguish. You used non-alphabet 'c'. Any hard-to-distinguish characters should be banned.

Can you distinguish between this ϲypherpunks(your name) and cypherpunks(real account name)? Impossible.

'ϲypherpunks'=='cypherpunks'
false

What if someone register 'c'ypherpunk1 and vandalize some wiki? (please don't do it)

What if someone used non-ASCII word to fake themselves as Tor contributor?

Last edited 6 months ago by cypherpunk1 (previous) (diff)

comment:30 Changed 6 months ago by cypherpunks_writecode

What's wrong with this anti-Cloudflare lunatic? Did he know that Tor's threat model has no problem in defying it? We all know Cloudflare is bad can you all stop now?

comment:31 Changed 6 months ago by cypherpunk1

We all know Cloudflare is bad

Not all. As far as I can see from this ticket #24351, there's some people who don't understand Cloudflare is bad. I really don't care whether they dislike anti-Cloudflare activity or not.

Whatevs. I'm sorry if #24351 or GCW? hurts your feeling. Just don't replace any documents to some illegal images, ok?

I'm getting outta here.

Last edited 6 months ago by cypherpunk1 (previous) (diff)

comment:32 Changed 5 months ago by qbi

There was still someone vandalizing the wiki. So we disabled several cypherpunks accounts and online assigning viewing permissions to authenticated users.

Out current solution is that people should ask for more permissions like #34210. After some time we will probably reset this policy, but experience from similar cases suggests that it needs some cooling down.

comment:33 in reply to:  24 Changed 5 months ago by qbi

Resolution: fixed
Status: assignedclosed

Replying to cypherpunk1:

  1. Disallow non-alphanumeric !([a-zA-Z0-9]{1,255}) username. Related https://trac.torproject.org/projects/tor/ticket/23771

I tried to use several regexes to disallow non-alphanumeric characters, but even simple ones like [AB] didn't work as expected (only allowed A and B plus non-ASCII characters). Also (?a)[AB] and similar combinations didn't work. Currently it is unclear how to make this work. We'll investigate later and adjust the settings if there is a good fix. For now I'll close this ticket.

Note: See TracTickets for help on using tickets.