Loading ...
Sorry, an error occurred while loading the content.

RE: www.vim.org is down

Expand Messages
  • Bram Moolenaar
    ... It still looked broken to me. After a little digging I discovered that the PHP function we were using to connect to the database no longer worked. I
    Message 1 of 15 , Apr 30, 2013
    • 0 Attachment
      John Beckett wrote:

      > The vim.org problem has been fixed by Sourceforge.

      It still looked broken to me.

      After a little digging I discovered that the PHP function we were using
      to connect to the database no longer worked. I changed it by one letter
      and now it's working again.

      > However, my checking of some recent changes to the vim.org
      > database shows that vim.org was scanned by someone with Acunetix
      > Web Vulnerability Scanner. That was used to generate at least
      > 124 user accounts, including text fields intended to probe for
      > bugs that might be exploited to break in to the system.
      >
      > It will take me a few days to think about what to do. After
      > talking with Bram, I'll delete the junk accounts.
      >
      > To save people the nuisance of downloading junk scripts, I have
      > deleted scripts 4555 to 4566 inclusive, and the user who created
      > them, and the script downloads.

      Thanks. For the bogus user accounts, please dump the information
      and then delete the accounts.

      The danger is that someone injects bad code into a popular script.
      Please check what scripts changed, if you can.

      --
      Vi is clearly superior to emacs, since "vi" has only two characters
      (and two keystrokes), while "emacs" has five. (Randy C. Ford)

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ an exciting new programming language -- http://www.Zimbu.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      --
      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      ---
      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/groups/opt_out.
    • Marc Weber
      ... The bot did at least 20 login attemps per second ! http://www.vim.org/account/register.php I ve added a minimal I m human test - that should at least
      Message 2 of 15 , Apr 30, 2013
      • 0 Attachment
        Excerpts from John Beckett's message of Wed May 01 04:29:16 +0200 2013:
        > 124 user accounts, including text fields intended to probe for
        > bugs that might be exploited to break in to the system.
        The bot did at least 20 login attemps per second !

        http://www.vim.org/account/register.php
        I've added a minimal "I'm human test" - that should at least protect against
        "random attacks" made by bots without human intelligence.
        And if there are humans running the attack, then we have lost anyway.

        So its pretty easy:

        create a new table.
        Log IP when $_POST is not empty

        If an IP is using POST more than 15 times in 4 hours assume its a bot
        and die.

        A typical session:
        - login (POST 1)
        - update 5 scriptsr (POST 2-5)

        Thus 7 post requests. If you forgett your password 5 times - then you're
        still fine.

        Yes, there might be false positives - eg many people behind
        firewalls try to update their scripts within 4 hours but honestly
        scripts are not updated *that* often. Another problem could be you
        typing the same password 15 times ..)

        If this causing problems, please report it. The die message also tells
        this.

        vim.org/search.php is not affected, $_GET is used the way it should.
        Neither should it affect google (which may also run some post requests,
        usually based on JS init scripts)

        I hope this makes www.vim.org a lot more "bot proof" now.

        The implementation can be found in the datab*.inc file.

        Maybe its not the right place, but it should work.

        There have been too many issues lately.

        Marc Weber

        --
        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php

        ---
        You received this message because you are subscribed to the Google Groups "vim_dev" group.
        To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
        For more options, visit https://groups.google.com/groups/opt_out.
      • Marc Weber
        This still does not protect agains resource exhaustion (mysql users exceeded - which appened). There are modules for apache to prevent excessive site usage by
        Message 3 of 15 , Apr 30, 2013
        • 0 Attachment
          This still does not protect agains resource exhaustion (mysql users
          exceeded - which appened). There are modules for apache to prevent
          excessive site usage by bot like attacks. Maybe we should propose
          sourcreforge to set them up?

          Marc Weber

          --
          --
          You received this message from the "vim_dev" maillist.
          Do not top-post! Type your reply below the text you are replying to.
          For more information, visit http://www.vim.org/maillist.php

          ---
          You received this message because you are subscribed to the Google Groups "vim_dev" group.
          To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
          For more options, visit https://groups.google.com/groups/opt_out.
        • Marc Weber
          I ve introduced a total limit of 500 POST requests within 4h which is slightly more than POST requests happen within 24h on an average day (380 posts in 24h)
          Message 4 of 15 , Apr 30, 2013
          • 0 Attachment
            I've introduced a total limit of 500 POST requests within 4h which is
            slightly more than POST requests happen within 24h on an average day
            (380 posts in 24h)

            Thus if a bot uses multiple IPs, he should still fail soon
            (unfortunately everybody else, too) - I think its more importatnt to
            protect against attacks in these cases.. Because we don't want to delete
            that many scripts and user accounts.

            I hope vim.sf.net is much safer now. I don't have any additional ideas.
            So let me know whether you think these changes are appropriate.

            Marc Weber

            --
            --
            You received this message from the "vim_dev" maillist.
            Do not top-post! Type your reply below the text you are replying to.
            For more information, visit http://www.vim.org/maillist.php

            ---
            You received this message because you are subscribed to the Google Groups "vim_dev" group.
            To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
            For more options, visit https://groups.google.com/groups/opt_out.
          • Bram Moolenaar
            ... Thanks for doing this! I think we can be rather strict. If a human is doing a lot of work, we can ask him to try again in 4 hours. And send us a message
            Message 5 of 15 , May 1, 2013
            • 0 Attachment
              Marc Weber wrote:

              > I've introduced a total limit of 500 POST requests within 4h which is
              > slightly more than POST requests happen within 24h on an average day
              > (380 posts in 24h)
              >
              > Thus if a bot uses multiple IPs, he should still fail soon
              > (unfortunately everybody else, too) - I think its more importatnt to
              > protect against attacks in these cases.. Because we don't want to delete
              > that many scripts and user accounts.
              >
              > I hope vim.sf.net is much safer now. I don't have any additional ideas.
              > So let me know whether you think these changes are appropriate.

              Thanks for doing this!

              I think we can be rather strict. If a human is doing a lot of work, we
              can ask him to try again in 4 hours. And send us a message that this
              happened, so that we can tune the limit. Perhaps for specific cases.

              Please send me a diff of the changes you made (or the new files)
              privately. Otherwise a sync from my side might overwrite your changes.
              Cc John Beckett, he is also keeping an eye on things.


              --
              hundred-and-one symptoms of being an internet addict:
              255. You work for a newspaper and your editor asks you to write an
              article about Internet addiction...in the "first person."

              /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
              /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
              \\\ an exciting new programming language -- http://www.Zimbu.org ///
              \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

              --
              --
              You received this message from the "vim_dev" maillist.
              Do not top-post! Type your reply below the text you are replying to.
              For more information, visit http://www.vim.org/maillist.php

              ---
              You received this message because you are subscribed to the Google Groups "vim_dev" group.
              To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
              For more options, visit https://groups.google.com/groups/opt_out.
            • Christian Brabandt
              Hi Bram! ... I think it just happened: http://www.vim.org/scripts/script.php?script_id=4509 regards, Christian -- Es herrscht Chaos. Wir befinden uns auf einer
              Message 6 of 15 , May 7, 2013
              • 0 Attachment
                Hi Bram!

                On Mi, 01 Mai 2013, Bram Moolenaar wrote:

                > I think we can be rather strict. If a human is doing a lot of work, we
                > can ask him to try again in 4 hours. And send us a message that this
                > happened, so that we can tune the limit. Perhaps for specific cases.

                I think it just happened:
                http://www.vim.org/scripts/script.php?script_id=4509

                regards,
                Christian
                --
                Es herrscht Chaos. Wir befinden uns auf einer Drehscheibe, die
                Richtung in die Zukunft ist noch nicht gefunden. Vielleicht muß diese
                Menschheit untergehen, damit eine andere entstehen kann.
                -- Stanislav Lem

                --
                --
                You received this message from the "vim_dev" maillist.
                Do not top-post! Type your reply below the text you are replying to.
                For more information, visit http://www.vim.org/maillist.php

                ---
                You received this message because you are subscribed to the Google Groups "vim_dev" group.
                To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                For more options, visit https://groups.google.com/groups/opt_out.
              • Marc Weber
                Thanks for reporting - looks like he finally suceeded - and didn t read the message .. Hi xingchao, (this mail also goes to vim_dev mailinglist) If you cannot
                Message 7 of 15 , May 7, 2013
                • 0 Attachment
                  Thanks for reporting - looks like he finally suceeded - and didn't read
                  the message ..

                  Hi xingchao,

                  (this mail also goes to vim_dev mailinglist)

                  If you cannot upload, you should see a message instead.
                  Due to attacks we've limited actions to 15 POST requests by IP.
                  Another global limit does exist.

                  Do you remember which one was hit? The message should have told you.
                  Eventually we should allow more operations.

                  In any case - do you have any idea why "why I can't upload" is shown
                  that often :) ?

                  Sincerly
                  Marc Weber

                  --
                  --
                  You received this message from the "vim_dev" maillist.
                  Do not top-post! Type your reply below the text you are replying to.
                  For more information, visit http://www.vim.org/maillist.php

                  ---
                  You received this message because you are subscribed to the Google Groups "vim_dev" group.
                  To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
                  For more options, visit https://groups.google.com/groups/opt_out.
                Your message has been successfully submitted and would be delivered to recipients shortly.