On 16.01.2013 09:26, M.-A. Lemburg wrote: > Meanwhile I'm also trying to see whether we can still extract some > data from the broken VM image. It does show traces of the wiki > file contents, so the data still exists on the image in some > form. Noah already tried extundelete with no success. I'm going > to give some of the other tools a try as well, e.g. ext4magic > or PhotoRec.
Update on the last bit: The tools were not able to recover the deleted files in the file structure, but were able to reconstruct a large number of files from the unallocated parts of the disk. Given that moin saves all revisions of a wiki page in the file system, with the file name being the only indication of the revision, those files may be useful in important cases, but there's no way to use them as input for automatic processing. The tools did also recover a number of log files that had been deleted, which allowed for a better analysis of what was used for the attack. Unfortunately, the logs for the important Dec 28 appear to have been overwritten by some other files, so I can't tell for sure whether the same attack as for the Debian wiki was used, but it is highly likely: http://wiki.debian.org/DebianWiki/SecurityIncident2012 The moinexec.py action plugin mentioned there was used on our wiki VM as well. In the course of this, the IP address from which the "rm -r *" originated turned up and we've contacted the ISP for more information. Several others played with the URLs as well, but only did harmless stuff. The attacker must have been in the know about the fact that wiki.python.org was also running the Jython wiki, since the availability via python.org and jython.org were checked after the rm run. Reimar is working on the conversion of the archive.org page dump to wiki format. I'll try to transmogrify the first Yahoo dump I ran into a suitable format for him to use tomorrow (the later runs returned fewer pages, which indicates that these caches can really only be used for short periods of time). -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Jan 17 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ 2013-01-22: Python Meeting Duesseldorf ... 5 days to go ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ pydotorg-www mailing list pydotorg-www@python.org http://mail.python.org/mailman/listinfo/pydotorg-www
