Loading ...
Sorry, an error occurred while loading the content.
 

Re: www.vim.org is down

Expand Messages
  • Bram Moolenaar
    ... Yes, the database appears to be down. They upgraded the project recently, but I have no reason to assume this is related. Please check the sourceforge
    Message 1 of 15 , Apr 30, 2013
      Tony Mechelynck wrote:

      > On 30/04/13 11:06, mattn wrote:
      > > It seems database server is down
      > >
      >
      > I can display http://www.vim.org/ as non-logged-in but an attempt to log
      > in gives me:
      >
      > Query attempt failed: Can't connect to local MySQL server through socket
      > '/var/lib/mysql/mysql.sock' (2)
      >
      > while the URL bar gets set to "http://www.vim.org/login.php".

      Yes, the database appears to be down.
      They "upgraded" the project recently, but I have no reason to assume
      this is related.

      Please check the sourceforge site for any known problems.
      Or file a support ticket.
      I'm afraid I don't have time right now to look into it.

      --
      hundred-and-one symptoms of being an internet addict:
      250. You've given up the search for the "perfect woman" and instead,
      sit in front of the PC until you're just too tired to care.

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ an exciting new programming language -- http://www.Zimbu.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      --
      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      ---
      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/groups/opt_out.
    • John Beckett
      ... The database is still there because I m currently looking at it through the phpMyAdmin web interface (admin only access). I can connect to the database and
      Message 2 of 15 , Apr 30, 2013
        Bram Moolenaar wrote:
        > Yes, the database appears to be down.
        > They "upgraded" the project recently, but I have no reason
        > to assume this is related.
        >
        > Please check the sourceforge site for any known problems.
        > Or file a support ticket.
        > I'm afraid I don't have time right now to look into it.

        The database is still there because I'm currently looking at it
        through the phpMyAdmin web interface (admin only access). I
        can connect to the database and see the tables as normal, and
        can run a SQL query to see an individual script.

        Standard web browser access to a script like:
        http://www.vim.org/scripts/script.php?script_id=231

        shows error:
        Can't connect to local MySQL server through socket
        '/var/lib/mysql/mysql.sock' (2)

        Bram reported this same error in February 2011:
        https://sourceforge.net/apps/trac/sourceforge/ticket/17514

        and the solution was to change $DB_HOST to "mysql-v". However,
        that was done two years ago, and I cannot see any indication on
        Sourceforge that a change to MySQL has occurred, and I can't
        find anything relevant in Google.

        I'll poke around some more.

        John

        --
        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php

        ---
        You received this message because you are subscribed to the Google Groups "vim_dev" group.
        To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
        For more options, visit https://groups.google.com/groups/opt_out.
      • John Beckett
        ... I ve poked around and can t find anything, so I have filed a support ticket: https://sourceforge.net/p/forge/site-support/3872/ John -- -- You received
        Message 3 of 15 , Apr 30, 2013
          Bram Moolenaar wrote:
          > Please check the sourceforge site for any known problems.
          > Or file a support ticket.

          I've poked around and can't find anything, so I have filed a
          support ticket:
          https://sourceforge.net/p/forge/site-support/3872/

          John

          --
          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php

          ---
          You received this message because you are subscribed to the Google Groups "vim_dev" group.
          To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
          For more options, visit https://groups.google.com/groups/opt_out.
        • Marc Weber
          ... There are none (http://sourceforge.net/blog/category/sitestatus/) ... Not sure where to create one which is related to mysql hosting. I ve sent a message
          Message 4 of 15 , Apr 30, 2013
            > Please check the sourceforge site for any known problems.
            There are none (http://sourceforge.net/blog/category/sitestatus/)

            > ticket
            Not sure where to create one which is related to mysql hosting.

            I've sent a message to #sourceforge at freenode hoping that staff will
            reply soon.

            Logging in using SSH I see
            ERROR 1203 (42000): User v8rw already has more than 'max_user_connections' active connections
            when trying to connect to the database.

            If you're looking for scripts you can either try
            vim-scripts.org (which should mirror almost all scripts)
            or github.com/MarcWeber/vim-addon-manager-known-repositories
            (which also contains a full list of all scripts @ www.vim.org, but
            withhout description).

            If nothing happens till tomorrow I'll try to find different ways to
            fix this.

            Marc Weber

            --
            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php

            ---
            You received this message because you are subscribed to the Google Groups "vim_dev" group.
            To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
            For more options, visit https://groups.google.com/groups/opt_out.
          • Marc Weber
            ... admin user: access is ok rw user ERROR 1203 (42000): User v8rw already has more than max_user_connections active connections ro user (don t know, maybe
            Message 5 of 15 , Apr 30, 2013
              Excerpts from John Beckett's message of Tue Apr 30 13:22:53 +0200 2013:
              > Bram Moolenaar wrote:
              > > Please check the sourceforge site for any known problems.
              > > Or file a support ticket.
              >
              > I've poked around and can't find anything, so I have filed a
              > support ticket:
              > https://sourceforge.net/p/forge/site-support/3872/

              admin user: access is ok
              rw user "ERROR 1203 (42000): User v8rw already has more than 'max_user_connections' active connections"
              ro user (don't know, maybe password is different)

              Admin user for the PHP does work, but I'm not happy with that change.
              So we have a solution, but I'd still like to wait for staff to reply
              before setting up such a change permanently.

              Marc Weber

              --
              --
              You received this message from the "vim_dev" maillist.
              Do not top-post! Type your reply below the text you are replying to.
              For more information, visit http://www.vim.org/maillist.php

              ---
              You received this message because you are subscribed to the Google Groups "vim_dev" group.
              To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
              For more options, visit https://groups.google.com/groups/opt_out.
            • John Beckett
              The vim.org problem has been fixed by Sourceforge. However, my checking of some recent changes to the vim.org database shows that vim.org was scanned by
              Message 6 of 15 , Apr 30, 2013
                The vim.org problem has been fixed by Sourceforge.

                However, my checking of some recent changes to the vim.org
                database shows that vim.org was scanned by someone with Acunetix
                Web Vulnerability Scanner. That was used to generate at least
                124 user accounts, including text fields intended to probe for
                bugs that might be exploited to break in to the system.

                It will take me a few days to think about what to do. After
                talking with Bram, I'll delete the junk accounts.

                To save people the nuisance of downloading junk scripts, I have
                deleted scripts 4555 to 4566 inclusive, and the user who created
                them, and the script downloads.

                John

                --
                --
                You received this message from the "vim_dev" maillist.
                Do not top-post! Type your reply below the text you are replying to.
                For more information, visit http://www.vim.org/maillist.php

                ---
                You received this message because you are subscribed to the Google Groups "vim_dev" group.
                To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                For more options, visit https://groups.google.com/groups/opt_out.
              • Bram Moolenaar
                ... It still looked broken to me. After a little digging I discovered that the PHP function we were using to connect to the database no longer worked. I
                Message 7 of 15 , Apr 30, 2013
                  John Beckett wrote:

                  > The vim.org problem has been fixed by Sourceforge.

                  It still looked broken to me.

                  After a little digging I discovered that the PHP function we were using
                  to connect to the database no longer worked. I changed it by one letter
                  and now it's working again.

                  > However, my checking of some recent changes to the vim.org
                  > database shows that vim.org was scanned by someone with Acunetix
                  > Web Vulnerability Scanner. That was used to generate at least
                  > 124 user accounts, including text fields intended to probe for
                  > bugs that might be exploited to break in to the system.
                  >
                  > It will take me a few days to think about what to do. After
                  > talking with Bram, I'll delete the junk accounts.
                  >
                  > To save people the nuisance of downloading junk scripts, I have
                  > deleted scripts 4555 to 4566 inclusive, and the user who created
                  > them, and the script downloads.

                  Thanks. For the bogus user accounts, please dump the information
                  and then delete the accounts.

                  The danger is that someone injects bad code into a popular script.
                  Please check what scripts changed, if you can.

                  --
                  Vi is clearly superior to emacs, since "vi" has only two characters
                  (and two keystrokes), while "emacs" has five. (Randy C. Ford)

                  /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
                  /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
                  \\\ an exciting new programming language -- http://www.Zimbu.org ///
                  \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

                  --
                  --
                  You received this message from the "vim_dev" maillist.
                  Do not top-post! Type your reply below the text you are replying to.
                  For more information, visit http://www.vim.org/maillist.php

                  ---
                  You received this message because you are subscribed to the Google Groups "vim_dev" group.
                  To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                  For more options, visit https://groups.google.com/groups/opt_out.
                • Marc Weber
                  ... The bot did at least 20 login attemps per second ! http://www.vim.org/account/register.php I ve added a minimal I m human test - that should at least
                  Message 8 of 15 , Apr 30, 2013
                    Excerpts from John Beckett's message of Wed May 01 04:29:16 +0200 2013:
                    > 124 user accounts, including text fields intended to probe for
                    > bugs that might be exploited to break in to the system.
                    The bot did at least 20 login attemps per second !

                    http://www.vim.org/account/register.php
                    I've added a minimal "I'm human test" - that should at least protect against
                    "random attacks" made by bots without human intelligence.
                    And if there are humans running the attack, then we have lost anyway.

                    So its pretty easy:

                    create a new table.
                    Log IP when $_POST is not empty

                    If an IP is using POST more than 15 times in 4 hours assume its a bot
                    and die.

                    A typical session:
                    - login (POST 1)
                    - update 5 scriptsr (POST 2-5)

                    Thus 7 post requests. If you forgett your password 5 times - then you're
                    still fine.

                    Yes, there might be false positives - eg many people behind
                    firewalls try to update their scripts within 4 hours but honestly
                    scripts are not updated *that* often. Another problem could be you
                    typing the same password 15 times ..)

                    If this causing problems, please report it. The die message also tells
                    this.

                    vim.org/search.php is not affected, $_GET is used the way it should.
                    Neither should it affect google (which may also run some post requests,
                    usually based on JS init scripts)

                    I hope this makes www.vim.org a lot more "bot proof" now.

                    The implementation can be found in the datab*.inc file.

                    Maybe its not the right place, but it should work.

                    There have been too many issues lately.

                    Marc Weber

                    --
                    --
                    You received this message from the "vim_dev" maillist.
                    Do not top-post! Type your reply below the text you are replying to.
                    For more information, visit http://www.vim.org/maillist.php

                    ---
                    You received this message because you are subscribed to the Google Groups "vim_dev" group.
                    To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                    For more options, visit https://groups.google.com/groups/opt_out.
                  • Marc Weber
                    This still does not protect agains resource exhaustion (mysql users exceeded - which appened). There are modules for apache to prevent excessive site usage by
                    Message 9 of 15 , Apr 30, 2013
                      This still does not protect agains resource exhaustion (mysql users
                      exceeded - which appened). There are modules for apache to prevent
                      excessive site usage by bot like attacks. Maybe we should propose
                      sourcreforge to set them up?

                      Marc Weber

                      --
                      --
                      You received this message from the "vim_dev" maillist.
                      Do not top-post! Type your reply below the text you are replying to.
                      For more information, visit http://www.vim.org/maillist.php

                      ---
                      You received this message because you are subscribed to the Google Groups "vim_dev" group.
                      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                      For more options, visit https://groups.google.com/groups/opt_out.
                    • Marc Weber
                      I ve introduced a total limit of 500 POST requests within 4h which is slightly more than POST requests happen within 24h on an average day (380 posts in 24h)
                      Message 10 of 15 , Apr 30, 2013
                        I've introduced a total limit of 500 POST requests within 4h which is
                        slightly more than POST requests happen within 24h on an average day
                        (380 posts in 24h)

                        Thus if a bot uses multiple IPs, he should still fail soon
                        (unfortunately everybody else, too) - I think its more importatnt to
                        protect against attacks in these cases.. Because we don't want to delete
                        that many scripts and user accounts.

                        I hope vim.sf.net is much safer now. I don't have any additional ideas.
                        So let me know whether you think these changes are appropriate.

                        Marc Weber

                        --
                        --
                        You received this message from the "vim_dev" maillist.
                        Do not top-post! Type your reply below the text you are replying to.
                        For more information, visit http://www.vim.org/maillist.php

                        ---
                        You received this message because you are subscribed to the Google Groups "vim_dev" group.
                        To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                        For more options, visit https://groups.google.com/groups/opt_out.
                      • Bram Moolenaar
                        ... Thanks for doing this! I think we can be rather strict. If a human is doing a lot of work, we can ask him to try again in 4 hours. And send us a message
                        Message 11 of 15 , May 1, 2013
                          Marc Weber wrote:

                          > I've introduced a total limit of 500 POST requests within 4h which is
                          > slightly more than POST requests happen within 24h on an average day
                          > (380 posts in 24h)
                          >
                          > Thus if a bot uses multiple IPs, he should still fail soon
                          > (unfortunately everybody else, too) - I think its more importatnt to
                          > protect against attacks in these cases.. Because we don't want to delete
                          > that many scripts and user accounts.
                          >
                          > I hope vim.sf.net is much safer now. I don't have any additional ideas.
                          > So let me know whether you think these changes are appropriate.

                          Thanks for doing this!

                          I think we can be rather strict. If a human is doing a lot of work, we
                          can ask him to try again in 4 hours. And send us a message that this
                          happened, so that we can tune the limit. Perhaps for specific cases.

                          Please send me a diff of the changes you made (or the new files)
                          privately. Otherwise a sync from my side might overwrite your changes.
                          Cc John Beckett, he is also keeping an eye on things.


                          --
                          hundred-and-one symptoms of being an internet addict:
                          255. You work for a newspaper and your editor asks you to write an
                          article about Internet addiction...in the "first person."

                          /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
                          /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
                          \\\ an exciting new programming language -- http://www.Zimbu.org ///
                          \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

                          --
                          --
                          You received this message from the "vim_dev" maillist.
                          Do not top-post! Type your reply below the text you are replying to.
                          For more information, visit http://www.vim.org/maillist.php

                          ---
                          You received this message because you are subscribed to the Google Groups "vim_dev" group.
                          To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                          For more options, visit https://groups.google.com/groups/opt_out.
                        • Christian Brabandt
                          Hi Bram! ... I think it just happened: http://www.vim.org/scripts/script.php?script_id=4509 regards, Christian -- Es herrscht Chaos. Wir befinden uns auf einer
                          Message 12 of 15 , May 7, 2013
                            Hi Bram!

                            On Mi, 01 Mai 2013, Bram Moolenaar wrote:

                            > I think we can be rather strict. If a human is doing a lot of work, we
                            > can ask him to try again in 4 hours. And send us a message that this
                            > happened, so that we can tune the limit. Perhaps for specific cases.

                            I think it just happened:
                            http://www.vim.org/scripts/script.php?script_id=4509

                            regards,
                            Christian
                            --
                            Es herrscht Chaos. Wir befinden uns auf einer Drehscheibe, die
                            Richtung in die Zukunft ist noch nicht gefunden. Vielleicht muß diese
                            Menschheit untergehen, damit eine andere entstehen kann.
                            -- Stanislav Lem

                            --
                            --
                            You received this message from the "vim_dev" maillist.
                            Do not top-post! Type your reply below the text you are replying to.
                            For more information, visit http://www.vim.org/maillist.php

                            ---
                            You received this message because you are subscribed to the Google Groups "vim_dev" group.
                            To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                            For more options, visit https://groups.google.com/groups/opt_out.
                          • Marc Weber
                            Thanks for reporting - looks like he finally suceeded - and didn t read the message .. Hi xingchao, (this mail also goes to vim_dev mailinglist) If you cannot
                            Message 13 of 15 , May 7, 2013
                              Thanks for reporting - looks like he finally suceeded - and didn't read
                              the message ..

                              Hi xingchao,

                              (this mail also goes to vim_dev mailinglist)

                              If you cannot upload, you should see a message instead.
                              Due to attacks we've limited actions to 15 POST requests by IP.
                              Another global limit does exist.

                              Do you remember which one was hit? The message should have told you.
                              Eventually we should allow more operations.

                              In any case - do you have any idea why "why I can't upload" is shown
                              that often :) ?

                              Sincerly
                              Marc Weber

                              --
                              --
                              You received this message from the "vim_dev" maillist.
                              Do not top-post! Type your reply below the text you are replying to.
                              For more information, visit http://www.vim.org/maillist.php

                              ---
                              You received this message because you are subscribed to the Google Groups "vim_dev" group.
                              To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                              For more options, visit https://groups.google.com/groups/opt_out.
                            Your message has been successfully submitted and would be delivered to recipients shortly.