Status regarding the recent Appdb vandalism

Chris Morgan chmorgan at gmail.com
Wed May 23 19:15:28 CDT 2007 

Yep, that account was created by the person who was deleting things
from the appdb.

As of right now the appdb site is back online, the account we suspect
was used to delete the data has been removed, the 'roop' account isn't
present and most everything appears to be back, except the screenshots
that we had no backup of.

I've also added a comment to the appdb main page to explain the
downtime and what we plan to do to improve things. Anyone interested
in hacking in php on the appdb is welcome to get in touch with me,
there is plenth to hack on ;-)

Also, I'll be updating the cron script so we can remove the screenshot
entries that have no corresponding screenshot file.

Chris


On 5/23/07, Bryan Haskins <kingofallhearts999 at gmail.com> wrote:
> Also, in respect to World of Warcraft (Only notify list I'm on), I saw
> another deleting quite a bit, as I was saying this morning in #winehq, I
> recorded deletions by Roop, no clue if they might actually be legit, but
> there was a lot deleted, so I thought I might throw that out there,
>
>
> On 5/23/07, Jan Zerebecki <jan.wine at zerebecki.de> wrote:
> > Please do _only_ address replies to this email to
> > wine-devel at winehq.org ! Remove all other recipients from To and
> > Cc !
> >
> > Work is currently underway to restore the state of the Appdb to
> > the backup of May 22 07:00 CST.
> >
> > This morning ( TZ +0200 ) someone used the account "Molle
> > Bestefich" to vandalize the Appdb. He was also seen on IRC and on
> > the wiki. His IP was identified on all three, logs are available.
> > See towards the end of this mail for IRC log snippet and whois on
> > his IP. Please contact me first if you intend to contact abuse or
> > police personal regarding this, so we don't cause headaches or
> > duplicate work. We do not yet know how this person got access to
> > Molle Bestefich his account.
> >
> > I received 4454 emails about deletes or other actions by the
> > account "Molle Bestefich". Send between "Date: Tue, 22 May 2007
> > 21:43:46 -0500" and "Date: Tue, 22 May 2007 22:18:55 -0500". (2
> > mails sent by the Appdb in that date range were legit actions.) I
> > don't know if these are all, because admin-accounts were
> > explicitly deleted and thus the notification to them stopped.
> >
> > The following applications where mentioned in these notification emails:
> > Adobe Illustrator
> > Battlefield 1942
> > Battlefield 2
> > Battlefield 2142
> > Call of Duty 2
> > Call of Duty
> > Checkpoint Firewall-1 Policy editor
> > Command & Conquer 3: Tiberium Wars
> > Counter-Strike: Source
> > Day of Defeat: Source
> > Deus Ex
> > Diablo II
> > EVE Online
> > F.E.A.R.: First Encounter Assault Recon
> > Final Fantasy XI Online
> > Guild Wars
> > IDA Pro
> > Photoshop
> > S.T.A.L.K.E.R. : Shadow of Chernobyl
> > Soldat
> > Steam
> > Supreme Commander
> > The Elder Scrolls IV: Oblivion
> > Trillian
> > World of Warcraft
> > PunkBuster
> > Rune
> > Igowin
> > Age of Empires
> > Age of Mythology
> > Black & White
> > Brothers in Arms
> > Flash
> > FlatOut
> > .NET Framework
> > Lotus Notes
> >
> > Some notifcations didn't contain a application of version, here
> > the Message-Id-s of some examples (this is probably a bug in the
> > Appdb code):
> > screen shot
> > Message-Id: < E1HqgpS-0008Ay-OM at wine.codeweavers.com>
> > test result
> > Message-Id: < E1Hqgs7-0001iH-S7 at wine.codeweavers.com >
> > monitor
> > Message-Id: <E1HqgsD-0001mW-It at wine.codeweavers.com>
> > bug
> > Message-Id: < E1HqhDT-0003xe-GS at wine.codeweavers.com>
> >
> > One message about a rejected bug link seemed like these type of
> > message don't contain any information:
> > Message-Id: < E1Hqh5W-0000QE-UG at wine.codeweavers.com>
> >
> >
> > On IRC from the #winehq channel:
> > Mai 23 05:27:14 -->     noerrorsfound_ (n=
> nicholas at h10.66.119.64.ip.alltel.net ) has joined #winehq
> > [unrelated stuff deleted]
> > Mai 23 06:21:37 ---     noerrorsfound_ is now known as molle-molle-moll
> > Mai 23 06:21:41 <molle-molle-moll>      molle molle molle
> > Mai 23 06:21:42 <molle-molle-moll>      molle
> > Mai 23 06:21:51 <molle-molle-moll>      molle
> > Mai 23 06:22:03 <molle-molle-moll>      mole string
> > Mai 23 06:22:18 <molle-molle-moll>      hello give thank
> > Mai 23 06:22:18 <--     Amorphous has kicked molle-molle-moll from #winehq
> (Amorphous)
> >
> > /whois output:
> > [06:22:38] --- [molle-molle-moll]
> (n=nicholas at h10.66.119.64.ip.alltel.net ) : Nicholas
> > [06:22:38] --- [whoismolle-molle-moll] irc.freenode.net
> :http://freenode.net/
> > [06:22:38] --- [molle-molle-moll] End of WHOIS list.
> >
> >
> > 2007-05-23T06:50:15+0200 $ whois 64.119.66.10
> > OrgName:    Windstream Communications Inc
> > OrgID:      WINDS-6
> > Address:    4001 Rodney Parham Rd
> > City:       Little Rock
> > StateProv:  AR
> > PostalCode: 72212
> > Country:    US
> >
> > NetRange:   64.119.64.0 - 64.119.79.255
> > CIDR:       64.119.64.0/20
> > NetName:    WINDSTREAM-COMMUNICATIONS
> > NetHandle:  NET-64-119-64-0-1
> > Parent:     NET-64-0-0-0-0
> > NetType:    Direct Allocation
> > NameServer: NS1-AUTH.WINDSTREAM.NET
> > NameServer: NS2-AUTH.WINDSTREAM.NET
> > NameServer: NS3-AUTH.WINDSTREAM.NET
> > NameServer: NS4-AUTH.WINDSTREAM.NET
> > Comment:    ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
> > RegDate:    2001-08-24
> > Updated:    2007-02-26
> >
> > OrgAbuseHandle: WINDS1-ARIN
> > OrgAbuseName:   Windstream Abuse
> > OrgAbusePhone:  +1-888-292-3827
> > OrgAbuseEmail:   abuse at windstream.net
> >
> > OrgTechHandle: WINDS-ARIN
> > OrgTechName:   Windstream Communications Inc
> > OrgTechPhone:  +1-800-990-4449
> > OrgTechEmail:  ipadmin at windstream.net
> >
> > # ARIN WHOIS database, last updated 2007-05-22 19:10
> > # Enter ? for additional hints on searching ARIN's WHOIS database.
> >
> >
> >
> >
>
>
>
> --
> Cheers,
> Bryan

More information about the wine-devel mailing list