Mantis bacula bugs has disappeared (like empty database)

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Mantis bacula bugs has disappeared (like empty database)

Wanderlei Huttel
Hello

I've try to access Bacula bugs and I noticed that all bugs related disappeared.

The website was hacked?


Best Regards

Wanderlei Hüttel

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Kern Sibbald

Hello Wanderlei,

Yes, somehow the MySQL table holding the list of bug was totally emptied.

I don't have the slightest idea what happened.  The system logs don't seem to show anything unusual.

This is pretty disturbing.

Best regards,

Kern


On 04/17/2017 12:36 PM, Wanderlei Huttel wrote:
Hello

I've try to access Bacula bugs and I noticed that all bugs related disappeared.

The website was hacked?


Best Regards

Wanderlei Hüttel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Josip Deanovic
On Monday 2017-04-17 18:53:43 Kern Sibbald wrote:
> Hello Wanderlei,
>
> Yes, somehow the MySQL table holding the list of bug was totally
> emptied.
>
> I don't have the slightest idea what happened.  The system logs don't
> seem to show anything unusual. This is pretty disturbing.

What about the file size on the disk?

Maybe file system or memory corruption.

Try mysql commands such as "check table <table_name>;" and if needed
"repair table <table_name>;" but first check that there is enough
space on the file system.

--
Josip Deanovic

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Kern Sibbald
Hello,

All the tables are good.  However someone emptied it.

I think this is the command that did it.

37.123.133.148 - - [16/Apr/2017:09:19:39 +0100] "POST
/manage_proj_delete.php HTTP/1.1" 200 504

Any comments?

Best regards,

Kern


On 04/17/2017 07:14 PM, Josip Deanovic wrote:

> On Monday 2017-04-17 18:53:43 Kern Sibbald wrote:
>> Hello Wanderlei,
>>
>> Yes, somehow the MySQL table holding the list of bug was totally
>> emptied.
>>
>> I don't have the slightest idea what happened.  The system logs don't
>> seem to show anything unusual. This is pretty disturbing.
> What about the file size on the disk?
>
> Maybe file system or memory corruption.
>
> Try mysql commands such as "check table <table_name>;" and if needed
> "repair table <table_name>;" but first check that there is enough
> space on the file system.
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Josip Deanovic
On Monday 2017-04-17 20:19:17 Kern Sibbald wrote:

> Hello,
>
> All the tables are good.  However someone emptied it.
>
> I think this is the command that did it.
>
> 37.123.133.148 - - [16/Apr/2017:09:19:39 +0100] "POST
> /manage_proj_delete.php HTTP/1.1" 200 504
>
> Any comments?

I have just checked Mantis's manage_proj_delete.php and core.php
files.

It seems that they are trying to ensure that the user is logged in
and that the user has the privileges to run manage_proj_delete.php
so it's either a bug in the Mantis code or the password of a privileged
user has been stolen.

In either case I am sorry for the lost data and the time that will
be spent because of this.

I have failed to google-out any recent security issues in Mantis code
that would result in data loss.

I would suggest to check this Mantis page related to security issues:
https://www.mantisbt.org/wiki/doku.php/mantisbt:handling_security_problems


--
Josip Deanovic

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Josip Deanovic
In reply to this post by Kern Sibbald
On Monday 2017-04-17 20:19:17 Kern Sibbald wrote:

> Hello,
>
> All the tables are good.  However someone emptied it.
>
> I think this is the command that did it.
>
> 37.123.133.148 - - [16/Apr/2017:09:19:39 +0100] "POST
> /manage_proj_delete.php HTTP/1.1" 200 504
>
> Any comments?

I think I found the source of the problem:
https://www.mantisbt.org/bugs/view.php?id=22739
https://www.mantisbt.org/bugs/view.php?id=22690

In short: "attackers can hijack accounts if only supplying the user
ID and username".

Date Submitted: 2017-04-08 10:07
Fixed in Version: 1.3.10
It seems that same goes for 2.3.1.

--
Josip Deanovic

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Wanderlei Huttel
But there's no backup of Mantis Database?

Best regards

Wanderlei Hüttel

2017-04-17 16:15 GMT-03:00 Josip Deanovic <[hidden email]>:
On Monday 2017-04-17 20:19:17 Kern Sibbald wrote:
> Hello,
>
> All the tables are good.  However someone emptied it.
>
> I think this is the command that did it.
>
> 37.123.133.148 - - [16/Apr/2017:09:19:39 +0100] "POST
> /manage_proj_delete.php HTTP/1.1" 200 504
>
> Any comments?

I think I found the source of the problem:
https://www.mantisbt.org/bugs/view.php?id=22739
https://www.mantisbt.org/bugs/view.php?id=22690

In short: "attackers can hijack accounts if only supplying the user
ID and username".

Date Submitted: 2017-04-08 10:07
Fixed in Version: 1.3.10
It seems that same goes for 2.3.1.

--
Josip Deanovic

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Josip Deanovic
On Monday 2017-04-17 17:19:28 Wanderlei Huttel wrote:
> But there's no backup of Mantis Database?

Whether there is a backup or not, an upgrade to the fixed
(possibly newest) version of Mantis should be performed.

Otherwise the same incident could occur again.

--
Josip Deanovic

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Kern Sibbald
In reply to this post by Wanderlei Huttel

Yes, there is a backup.  Hopefully there is a recent one.  Before restoring it though, I need to understand how to stop it.



On 04/17/2017 10:19 PM, Wanderlei Huttel wrote:
But there's no backup of Mantis Database?

Best regards

Wanderlei Hüttel

2017-04-17 16:15 GMT-03:00 Josip Deanovic <[hidden email]>:
On Monday 2017-04-17 20:19:17 Kern Sibbald wrote:
> Hello,
>
> All the tables are good.  However someone emptied it.
>
> I think this is the command that did it.
>
> 37.123.133.148 - - [16/Apr/2017:09:19:39 +0100] "POST
> /manage_proj_delete.php HTTP/1.1" 200 504
>
> Any comments?

I think I found the source of the problem:
https://www.mantisbt.org/bugs/view.php?id=22739
https://www.mantisbt.org/bugs/view.php?id=22690

In short: "attackers can hijack accounts if only supplying the user
ID and username".

Date Submitted: 2017-04-08 10:07
Fixed in Version: 1.3.10
It seems that same goes for 2.3.1.

--
Josip Deanovic

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Mantis bacula bugs has disappeared (like empty database)

Kern Sibbald
In reply to this post by Josip Deanovic
At least I now know how to fix it.

Thanks for the much appreciated help.

Best regards,
Kern

On 04/17/2017 10:23 PM, Josip Deanovic wrote:
> On Monday 2017-04-17 17:19:28 Wanderlei Huttel wrote:
>> But there's no backup of Mantis Database?
> Whether there is a backup or not, an upgrade to the fixed
> (possibly newest) version of Mantis should be performed.
>
> Otherwise the same incident could occur again.
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Bacula-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/bacula-users
Loading...