Hi everyone,
I just stopped myxwiki.org for now, but here is the situation:
- a few days ago (apparently), most files in the permanent directory have been encrypted, and a readme added asking us for money. In terms of important data, it basically means attachments only
- the database is apparently untouched (which is why it was not noticed right away)
We are currently assessing the situation and what we can do. We’ll keep you informed here.
We have backups from before the attack, so not much should be lost, but we first need to find how the attack was done.
Sorry to hear that. Hope you’ll recover as much as possible 
So, we believe the attack used an outdated wiki (it was still exposing a long fixed vulnerability, which happen to be used a lot these days).
To avoid this kind of problems going forward, upgrades of myxwiki.org are going to trigger automated upgrade of the wikis too. On the plus side, it means you won’t have to take care of it anymore. But a fully automated process can of course make mistakes and all wikis are going to be upgraded at the same time, so performances are probably not going to be great right after an upgrade, I’m afraid (still working on trying to improve that, but, at best, fully upgrading all wikis is going to take a while).
We will indicate here when myxwiki is ready.
1 Like
At the moment we have put a protection in place, see the screenshot at Planned upgrade of xwiki.org to latest 16.10.x - #13 by xrichard
Here are some more details while wikis are being upgraded:
- As stated in my previous messages, we are forcing upgrading all wikis (this is what is blocking the reopening for now) because a vulnerability located in a wiki page was exploited: see Remote code execution as guest via SolrSearchMacros request · Advisory · xwiki/xwiki-platform · GitHub for more details about this vulnerability
- Only the attachments seems to have been impacted, a backup from before the attack (May 1st) has been restored, so we doubt much was lost. But hackers claim they downloaded everything (even if we don’t find any evidence of that in the network metrics).
- We highly anything else was accessed (because nothing else was encrypted). But since it was theoretically possible to use this same vulnerability to get access to the database, we recommend anyone to change their password on any service where the same username/email and password was used (the passwords are hashed and salted, but better be careful)
- Once myxwiki.org will be reopened, a mail will also be sent to:
- all wiki owners to explain the situation
- all users to recommend changing their password on myxwiki.org and any other service where the same credentials were used.
1 Like
MyXWiki.org is open again.
Wiki owners should receive shortly an email explaining what has been discussed here.
We are still discussing the potential email to send to other users, but don’t hesitate to warn your own wiki community in the meantime.
We apologize for any inconvenience this may have caused you.
2 Likes
@tmortagne, thanks for the job done and the clear explanations provided since the discovery until the final solution 
.
I’m glad XWiki Team takes care of wikis hosted on the community farm MyXWiki.org 
.
Thanks again,
2 Likes