Status regarding the recent Appdb vandalism

Jan Zerebecki jan.wine at zerebecki.de
Wed May 23 10:37:19 CDT 2007 

Please do _only_ address replies to this email to
wine-devel at winehq.org ! Remove all other recipients from To and
Cc !

Work is currently underway to restore the state of the Appdb to
the backup of May 22 07:00 CST.

This morning ( TZ +0200 ) someone used the account "Molle
Bestefich" to vandalize the Appdb. He was also seen on IRC and on
the wiki. His IP was identified on all three, logs are available.
See towards the end of this mail for IRC log snippet and whois on
his IP. Please contact me first if you intend to contact abuse or
police personal regarding this, so we don't cause headaches or
duplicate work. We do not yet know how this person got access to
Molle Bestefich his account.

I received 4454 emails about deletes or other actions by the
account "Molle Bestefich". Send between "Date: Tue, 22 May 2007
21:43:46 -0500" and "Date: Tue, 22 May 2007 22:18:55 -0500". (2
mails sent by the Appdb in that date range were legit actions.) I
don't know if these are all, because admin-accounts were
explicitly deleted and thus the notification to them stopped.

The following applications where mentioned in these notification emails:
Adobe Illustrator
Battlefield 1942
Battlefield 2
Battlefield 2142
Call of Duty 2
Call of Duty
Checkpoint Firewall-1 Policy editor
Command & Conquer 3: Tiberium Wars
Counter-Strike: Source
Day of Defeat: Source
Deus Ex
Diablo II
EVE Online
F.E.A.R.: First Encounter Assault Recon
Final Fantasy XI Online
Guild Wars
IDA Pro
Photoshop
S.T.A.L.K.E.R. : Shadow of Chernobyl
Soldat
Steam
Supreme Commander
The Elder Scrolls IV: Oblivion
Trillian
World of Warcraft
PunkBuster
Rune
Igowin
Age of Empires
Age of Mythology
Black & White
Brothers in Arms
Flash
FlatOut
.NET Framework
Lotus Notes

Some notifcations didn't contain a application of version, here
the Message-Id-s of some examples (this is probably a bug in the
Appdb code):
screen shot
Message-Id: <E1HqgpS-0008Ay-OM at wine.codeweavers.com>
test result
Message-Id: <E1Hqgs7-0001iH-S7 at wine.codeweavers.com>
monitor
Message-Id: <E1HqgsD-0001mW-It at wine.codeweavers.com>
bug
Message-Id: <E1HqhDT-0003xe-GS at wine.codeweavers.com>

One message about a rejected bug link seemed like these type of
message don't contain any information:
Message-Id: <E1Hqh5W-0000QE-UG at wine.codeweavers.com>


On IRC from the #winehq channel:
Mai 23 05:27:14 -->     noerrorsfound_ (n=nicholas at h10.66.119.64.ip.alltel.net) has joined #winehq
[unrelated stuff deleted]
Mai 23 06:21:37 ---     noerrorsfound_ is now known as molle-molle-moll
Mai 23 06:21:41 <molle-molle-moll>      molle molle molle
Mai 23 06:21:42 <molle-molle-moll>      molle
Mai 23 06:21:51 <molle-molle-moll>      molle
Mai 23 06:22:03 <molle-molle-moll>      mole string
Mai 23 06:22:18 <molle-molle-moll>      hello give thank
Mai 23 06:22:18 <--     Amorphous has kicked molle-molle-moll from #winehq (Amorphous)

/whois output:
[06:22:38] --- [molle-molle-moll] (n=nicholas at h10.66.119.64.ip.alltel.net) : Nicholas
[06:22:38] --- [whoismolle-molle-moll] irc.freenode.net :http://freenode.net/
[06:22:38] --- [molle-molle-moll] End of WHOIS list.


2007-05-23T06:50:15+0200 $ whois 64.119.66.10
OrgName:    Windstream Communications Inc
OrgID:      WINDS-6
Address:    4001 Rodney Parham Rd
City:       Little Rock
StateProv:  AR
PostalCode: 72212
Country:    US

NetRange:   64.119.64.0 - 64.119.79.255
CIDR:       64.119.64.0/20
NetName:    WINDSTREAM-COMMUNICATIONS
NetHandle:  NET-64-119-64-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1-AUTH.WINDSTREAM.NET
NameServer: NS2-AUTH.WINDSTREAM.NET
NameServer: NS3-AUTH.WINDSTREAM.NET
NameServer: NS4-AUTH.WINDSTREAM.NET
Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:    2001-08-24
Updated:    2007-02-26

OrgAbuseHandle: WINDS1-ARIN
OrgAbuseName:   Windstream Abuse
OrgAbusePhone:  +1-888-292-3827
OrgAbuseEmail:  abuse at windstream.net

OrgTechHandle: WINDS-ARIN
OrgTechName:   Windstream Communications Inc
OrgTechPhone:  +1-800-990-4449
OrgTechEmail:  ipadmin at windstream.net

# ARIN WHOIS database, last updated 2007-05-22 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

More information about the wine-devel mailing list