[Tom Bishop]

Hello, something is in the Wiki creating spam links.

https://wiki.tfes.org/(FREE)_HULU_GIFT_CARD_GENERATOR_CODES_2024_Y8BO2XY0

https://wiki.tfes.org/New-mathod!_Free_Paysafecard_Gift_Card_Code_2024_(No_Human_Verification)

https://wiki.tfes.org/FREE_Twitch_Gift_Card_Code_(2024)_Code_Generator_No_Survey

https://wiki.tfes.org/8_Ball_Pool_Cheats_Free_Cash_Generator_2024_No_Verification_(Android_iOS_Mod)

https://wiki.tfes.org/EA_Sports_FC_24_Cheats_Free_Coins_Points_Generator_2024_No_Verification_(Android_iOS_Mod)

https://wiki.tfes.org/EA_Sports_FC_Mobile_24_Free_Coins_Points_Generator_Fully_Works_No_Survey_Cheats

https://wiki.tfes.org/Family_Island_Cheats_Free_Rubies_Generator_2024_No_Verification_Android_iOS_Mod_(tips_and_codes)

https://wiki.tfes.org/(Unlimited-codes)_Free_Playstation_Gift_Card_Generator_2024_Updates

https://wiki.tfes.org/New_Raid_Shadow_Legends_Free_Gems_Generator_2024_Cheats_Tested_On_Android_Ios_(extra)

https://wiki.tfes.org/Monster_Legends_Gems_Generator_2024_No_Human_Verification_(Real)

[Tom Bishop]

https://wiki.tfes.org/SimCity_BuildIt_Free_Simoleons_SimCash_Generator_999,999K_Simoleons_SimCash_Free_2024_in_5_minutes_(New_Cheats_SimCity_BuildIt)

https://wiki.tfes.org/Easy!_Unlimited_MONOPOLY_GO!_Dice_Rolls_and_Money_go_cheat_codes

https://wiki.tfes.org/Easy!_Unlimited_Dragon_Ball_Legends_Chrono_Crystals_go_cheat_codes

[xasop]

Thanks, I've restored a database backup from before these pages were created and deleted the user account that created them. Other recent changes since 3 March will also be gone, if there are any, but we can restore those as needed.

[Tom Bishop]

Thank you.

Something funny seems to still be going on.

The Southern Hemisphere page from the outside looks fine: https://wiki.tfes.org/index.php?title=Southern_Hemisphere

But when I go to edit the Southern Hemisphere page I see this.

https://wiki.tfes.org/index.php?title=Southern_Hemisphere&action=edit



Cleared cache and tried it in a different browser with same result.

[DuncanDoenitz]

Many correspondents on these pages would contend that most of the Wiki's content is a load of old nonsense, but the fact is that FEers have devoted considerable time and effort to construct, amend and develop the information therein, and that it forms the public crystalisation of your credo. 

That some faceless, mindless morons can feck-around with it to this extent is, sadly, a typical electronic example of the modern vandalism that sees Banksies defaced, objects dropped from highway bridges, and so on. 

Sincerely hope that you can sort it out. 

[xasop]

Something funny seems to still be going on.

Agreed. I suspect a vulnerability in MediaWiki allowing someone to impersonate users, since the page you linked was defiled by your and Pete's accounts. I don't have time to investigate properly right now, so I've disabled POST requests in the web server configuration and restored the same backup again. This means that nobody will be able to log in or edit pages until this is properly dealt with, which will probably involve upgrading to the latest version of MediaWiki.

[Pete Svarrior]

your and Pete's accounts

Are you certain about that? I manually reverted the vandalism, but I saw no evidence of my account making any malicious edits.

Also, it's worth keeping in mind that just reverting the database is likely not to be very effective on MediaWiki. It's at least plausible that some of the vandalism persisted in its cache, and that making an edit restored it.

[xasop]

Are you certain about that? I manually reverted the vandalism, but I saw no evidence of my account making any malicious edits.

When I looked at the change your account made, the diff just changed the vandalism to different vandalism. It's now gone, of course, since I restored an old backup.

Also, it's worth keeping in mind that just reverting the database is likely not to be very effective on MediaWiki. It seems more likely to me that some of the vandalism persisted in its cache, and that making an edit restored it.

The Southern Hemisphere page wasn't listed in Tom's original list of vandalised pages, so it's not at all clear whether there was any original vandalism to persist in the cache. To be on the safe side, I've restarted memcached (I already restarted php when I restored the database before), so now there is no cache from before the database restore.

[xasop]

I tried upgrading MediaWiki to 1.41.0, and after manually cleaning up a bunch of duplicate database records and upgrading some extensions, I found our theme calls deprecated functions and I don't know to what extent it's been customised. I've already given up half my afternoon that I was supposed to spend studying and I'm unlikely to have any more time to waste on this until sometime in mid-April. For now it's back on the old version with edits still disabled.

[Pete Svarrior]

When I looked at the change your account made, the diff just changed the vandalism to different vandalism.

Ooh, that is very interesting. It definitely didn't look that way when I made the edit, but I only checked it once while still logged in.

The Southern Hemisphere page wasn't listed in Tom's original list of vandalised pages, so it's not at all clear whether there was any original vandalism to persist in the cache.

Makes sense. If both Tom and I ended up in a similar scenario (noticed vandalism, made edits, and those edits turned into more vandalism), it almost makes me wonder if someone made changes to our MediaWiki code. I'll poke around a little this evening.

I found our theme calls deprecated functions and I don't know to what extent it's been customised.

Last time the theme broke, we "temporarily" grabbed another one from the shelf and made a few changes to the CSS to tweak it to our brand; and then it stayed like that for years. I suspect we'll want to do that again, rather than try and fix the current ancient hodgepodge.

[xasop]

Makes sense. If both Tom and I ended up in a similar scenario (noticed vandalism, made edits, and those edits turned into more vandalism), it almost makes me wonder if someone made changes to our MediaWiki code. I'll poke around a little this evening.

I didn't see any obviously suspicious changes when I diffed a vanilla MediaWiki with our current code, but that didn't cover all the extensions we've added, so there's a chance there's something somewhere in there.

[Pete Svarrior]

I didn't see any obviously suspicious changes when I diffed a vanilla MediaWiki with our current code, but that didn't cover all the extensions we've added, so there's a chance there's something somewhere in there.

Yeah, I'm not seeing anything obvious, either. I have no access to access logs for the wiki (or, well, any access logs really) - if you don't mind granting me those I'd be keen to snoop around.