Talk:Users insert virus source code into Wikipedia pages

Latest comment: 14 years ago by Barts1a in topic Why preserve the sandbox history?

OR

edit

Unless I can get the revision history of the users to blame, I don't have links to them. The administrator e-mailed me after I e-mailed him for questions. here are the correspondents as follows beginning with my sending of questions.

Quote

Hello I am user DragonFire1024 on Wikinews. Was wondering if you could answer some questions about the virus on WP for a possible article.

What or who caused it? What was its purpose? Could other users/computers get the virus? What harm did it cause? When did this happen and how long was this happening before someone noticed it? How was it removed and who had to do it? Was any other Wiki affected other than Wikipedia?

And any kind of statement you could give would be great.

I am not a techie, so please bare with me :-)

Jason Safoutin


Here is the reply from the administrator:

Quote

I'll do my best to answer as much as I can...

Yesterday I stumbled onto a troublemaker (or two) when I went to the Wikipedia sandbox. What I found was that User:MODX and User:71.40.157.158 were leaving text on various Wikipedia pages, including the sandbox, that would somehow (beyond my technical knowledge) load viruses onto a computer viewing the page. My antiviral program, luckily, seems to have protected me from the issue: McAfee Antivirus ID'd the executable files as:

Generic@MM Virus LoveLetter@MM Virus

I was able to block the accounts and revert the additions to several pages. I went further and deleted the contributions of these editors where I could in the hopes of preventing follow-up attacks, copycat actions, and random editors stumbling into viral traps whilst walking through a page history. This went perfectly fine until I bit off waaay more than I (or the Wikipedia servers) could chew when I foolishly attempted to do the same to the sandbox, which has an extensive revision history. My action caused the site to come to a screeching halt for half an hour and filled my page with WP:TROUT wikitrout. :) Here's the current ANI thread that I started upon realizing the magnitude of my error: http://en.wikipedia.org/wiki/Wikipedia:Administrators%27_noticeboard/Incidents#Apologies_everyone...

The site developers have now instituted a fix or two that should help prevent future massive deletion problems like what I caused. See for more: http://en.wikipedia.org/wiki/Wikipedia:Village_Pump_%28technical%29#Deletion_restrictions_for_pages_with_long_histories

To end what I know of this story, I was advised that oversight was a better option for removing contributions on huge pages and, as such, contacted the oversight mailing list to request the complete deletion of all contributions by these users. The request was processed by User:Fred Bauder. He wrote to me in a response email: "I have a Mac so successfully viewed and oversighted. They do nothing to me, but look nasty, whatever they are." [I'm sure Fred won't mind that I shared this bit of pretty non-sensitive information, but please do okay with him any use of his ID or text in any sort of writeup you may do. Thanks.]

That's all I got...hope it helps. Please do your best to play it safe on the details to avoid giving others nasty ideas, if possible.

Cheers, User:Scientizzle
DragonFire1024 (Talk to the Dragon) 23:21, 18 January 2008 (UTC)Reply
Regarding the contribution history, there's nothing there, only accessable by Oversight users. Thunderhead - (talk - email - contributions) 01:03, 19 January 2008 (UTC)Reply

Sources

edit

The links to WP in the sources should be to permanent revisions rather than the current page otherwise they won't work once the pages have been archived. Adambro 23:32, 18 January 2008 (UTC)Reply

Hmmm...could you do that for me? i am not sure if I know how to do that on WP necessairly. DragonFire1024 (Talk to the Dragon) 23:35, 18 January 2008 (UTC)Reply
Okay, fair enough, it's done. Adambro 23:40, 18 January 2008 (UTC)Reply

Name

edit

I am waiting on the user to e-mail me his real name :) Not sure if its required, but looks better. DragonFire1024 (Talk to the Dragon) 23:37, 18 January 2008 (UTC)Reply

Image:LoveLetter virus e-mail screenshot.gif

edit

This image may be freely licensed on Flickr but is not correct as the image contains copyrighted elements, namely the Microsoft Windows interface. I'm currently considering the correct course of action but whatever happens this won't last long on Commons and should probably be uploaded locally with an appropriate fair use rationale as per {{screenshot}}. Some more info is at Category:Screen shots. Regards. Adambro 00:24, 19 January 2008 (UTC)Reply

Hmmm...Well I don't know what else to say really...its a private e-mail to him. So he can reveal it. The Windows icons or whatever can be cropped. DragonFire1024 (Talk to the Dragon) 01:06, 19 January 2008 (UTC)Reply
Image has been cropped. DragonFire1024 (Talk to the Dragon) 01:10, 19 January 2008 (UTC)Reply
I've moved it to local upload asthe flickr user didn't create it so he doesn't really own the copyright. (i think) Bawolff 07:20, 19 January 2008 (UTC)Reply

Disseminating the IP address

edit

How confident are you that Scientizzle got the IP exactly right? There is no edit history (obviously as the whole thing is about removing those edits). But it seems that there is some chance that it is a dynamic IP from Road Runner. Wouldn't it suffice to say "anon user" instead of listing the IP? I don't see how it benifits the reader to know the exact IP, it seems irrelevant. --SVTCobra 02:01, 19 January 2008 (UTC)Reply

Sure. Given the circumstances in this case, I agree. DragonFire1024 (Talk to the Dragon) 02:08, 19 January 2008 (UTC)Reply
All the edits were oversighted, I believe. Thunderhead - (talk - email - contributions) 03:19, 19 January 2008 (UTC)Reply

Paragraph about the worm (near the end)

edit

I am a little concerned about the information, which seems to be from ILOVEYOU:Effects. This part of the Wikipedia article cites no sources or references for their $ amounts in the cleanup/damages. I am not sure that Wikipedia is a reliable source, when there are no citations. --SVTCobra 02:48, 19 January 2008 (UTC)Reply

  Done DragonFire1024 (Talk to the Dragon) 03:02, 19 January 2008 (UTC)Reply

this does not make sense. how did an anon insert vbscript into the sandbox?

edit

Although I am not familiar with the circumstances, if an anon managed to do what this article says he did (although it is a little short on details), this would be a fairly bad vulnerability in mediawiki. (see w:XSS). Only admins should be able to insert vbscript into wikipedia. (in a page in mediawiki ns where html is not escaped) ordinary users should not. Or is this article saying something other then I think it is? Bawolff 03:01, 19 January 2008 (UTC)Reply

Will a script like this actually insert a virus in somebody's system without warning? Does this depend on what browser the user is using? Dtobias 03:05, 19 January 2008 (UTC)Reply
Scripts like these aren't supposed to. If there is a vulnrability in the scripting language then its possible. This only affects internet explorer as it is the only browser to support vbscript (however there have been incidents in the past with other scripting languages I assume.). I'm not sure exactly what the circumstances of this whole thing is so take what i say with a grain of salt. Bawolff 03:08, 19 January 2008 (UTC)Reply
Note this was just the source code. the script wasn't included in a way that would activate it. Bawolff 04:32, 19 January 2008 (UTC)Reply
Honestly this "news report" is a complete joke. All that happened was a user copy-pasted the code to an 8-year-old virus into the wikitext of the sandbox -- it's completely impossible to make code execute by embedding it into wikitext, for obvious reasons. Not even the most insecure user was even close to having any harmful code being run on their machine; this was basically a complete non-event. Krimpet 07:00, 19 January 2008 (UTC)Reply
I agree with Krimpet. The only news-worthy aspect of this was that the site was un-editable for a few minutes. --MZMcBride 07:10, 19 January 2008 (UTC)Reply
I'd agree with that, the point about the problems that were encountered when trying to remove this nonsense is the real interesting element of the story. Adambro 14:17, 19 January 2008 (UTC)Reply

VBScript

edit

Got that from some folks in the Wikipedia IRC CannNEL and bawolff. DragonFire1024 (Talk to the Dragon) 03:23, 19 January 2008 (UTC)Reply

By the way, I got vbscript from the article, so I can't really be used as a source. Bawolff 03:27, 19 January 2008 (UTC)Reply

Source

edit

I don't want this to be too public:

While considering its a blank page and all.... Bawolff 04:23, 19 January 2008 (UTC)Reply
Scroll down. DragonFire1024 (Talk to the Dragon) 04:32, 19 January 2008 (UTC)Reply
Thats fairly complete proof that they didn't do anything that caused harm. (for that code to work, it would need to be inside certain tags on a webpage, and probably not executed in a web context (ie executed locally)) Bawolff 07:14, 19 January 2008 (UTC)Reply

not a real threat

edit

Partly based on the conversation i had on irc:

bawolff>	I recently read an article about there being a vbscript virus in en wikipedia sandbox. inserted by an anon, but the article is really low on details.I was wondering if you folks know anything about it (was real vbscript inserted, was it a link to a vbscript virus, was it just the source with no real threat?, is the report inaccurate)
	<lucasbfr>	bawolff: someone pasted the vbcode
	<Splarka>	http://en.wikipedia.org/wiki/Wikipedia:Sandbox/Archive?oldid=184831888&action=edit
	<Splarka>	someone needs to oversight that
	<lucasbfr>	but no threat
	<bawolff>	So it was just the source code, it wasn't in <script> tags or anything?
	<lucasbfr>	not that I recall
	<lucasbfr>	that's the link Splarka pasted
	<Splarka>	the newsworthy aspect is that it made an admin try to delete the sandbox, causing enwp backends to lock up for 15-30 minutes
	<Splarka>	and causing a quick patch in of a new rights group 'bigdelete' (not assigned on enwp) restricting deletions to articles with fewer than 5000 revisions
	<Splarka>	hilarity did ensue
	<bawolff>	ok thanks
	<Splarka>	wikinews gonna report on it?
	<bawolff>	Do you mind if we use the information you just gave me in the wikinews article on it
	<Splarka>	no prob, but it is not authoritive (not my vague understanding of the server-side problems anyway), it is based on watching the sysops and devs yell at each other for an hour ^_^
	<Splarka>	I can say: the delete failed (as the sandbox apparently has a few hundred thousand revisions), but while it was being processed editing was disabled on the english wikipedia for about a half hour

Also the fact that if the script really got inserted that would be a major security vulnrability, and i assume people would be talking about that more then the fact it made 'pedia busy for half an hour. Bawolff 04:31, 19 January 2008 (UTC)Reply

Trout

edit

With the mention of wikitrout, I'd categorise this more as Wackynews than anything serious.

I immediately assumed it was code trying to display in the browser and an overzealous antivirus program trying to justify its annual subscription. --Brian McNeil / talk 09:53, 19 January 2008 (UTC)Reply

Why preserve the sandbox history?

edit

The sandbox is intended for only short-term use, so why doesn't the system regularly delete its entire revision history, preventing delays if it needs to be scrubbed? After all, when every new toy computer program is designed to allow new methods of inserting remote code into your system, there will eventually be a time when simply looking at a viral text code will put your hard drive so deep into a botnet it would take a sledgehammer to clean the virus out of it. 70.15.116.59 20:50, 19 January 2008 (UTC)Reply

If simply looking at viral code infects your computer, you need a different operating system. Bawolff 22:30, 19 January 2008 (UTC)Reply
To look at the code the computer downloads and processes it. Barts1a (talk) 22:38, 6 December 2010 (UTC)Reply

a wikipedia page link downloaded me a virus that locked my PC. How on earth do you get the link removed?? I am not rellay techie, so don't dare go back on to the page. It was the one that linked to all Hindu temples in the UK.

Return to "Users insert virus source code into Wikipedia pages" page.