Wiki My World (Part 2): The Reckoning

As with all web based software, it’s important to pay attention to security.  In writing the previous article, “Wiki My World“, I casually installed MediaWiki with the idealistic fantasy that anyone with relevant technical information could and would contribute freely as they saw fit.  What I received in return was a big headache and a battle with my hosting company.  Because MediaWiki is a well known and open platform, it’s mercilessly targeted by hackers, spammers, and bots.  My installation was no different.

My current hosting provider offers Softaculous, an easy application manager for web based software.  Softaculous allows me to install, backup, remove, and update all of the commercial software across all of my sites in one easy to use portal. I used Softaculous to install MediaWiki quickly so I could get started writing.  No fuss, no muss…. right?  Wrong.

The Softaculous install of MediaWiki replaces the software’s native installer.  MediaWiki’s installer allows you to add common extensions, configure default settings, set permissions before launching the wiki. Softaculous doesn’t provide these options and leaves it up to the user to configure these options after install.  This wouldn’t be an issue for someone experienced with the software.  I, on the other hand, was trying this out for the first time and wasn’t aware or the options left unconfigured.

About a week after writing the original article, I noticed the load time increasing for all of my websites; over 10 seconds rather than under 2 seconds.  A few days later, my sites were taking 30-60 seconds to load and my wiki home page had been flooded with spam content.  Links appeared for anything from fashion sites to advertisements to adult sites.  The number of pages had increased from 20 to 20,000 and the number of users had increased from 1 to 15K.  Traffic stats showed my wiki getting pummeled from China.  As much as I’d love to believe I’m an international sensation, all signs pointed to hacking.

Statistics for kb.davidwaynebaxter.com  2014 05    main

Initially, I tried to manually remove the spam through the MediaWiki interface.  I installed several extensions to help with the cleanup such as Nuke and BlockAndNuke.  It took some time, but I was able to get the front page looking like it should… Despite my best efforts, I had no clue what damage had been done behind the scenes.  Because MediaWiki keeps a history of all page revisions, any change was purely superficial changes.  Without getting into the database and explicitly removing the content and history, this was a futile effort.  Shortly after starting my cleanup, I received a notice from my hosting company regarding the rapid increase in traffic usage and the MySQL database that had exploded virtually overnight.  The database had grown from a few megabytes, to over 2 gigabytes in a matter of days.  They shut down the wiki site and threatened to suspend my account if immediate action wasn’t taken to prevent “an abuse of resources”.  The malicious activity had gotten so bad it threatened the integrity of the physical server.  Not good.

Manually expelling the malicious content wasn’t going to happen without significant effort, so it was time to pull the plug on this experiment.  I pulled down a copy of the database and deleted the site from my host.  The traffic died and the rest of my sites returned to normal almost instantly.  Clearly, I had skipped over a critical configuration, missed a plugin, or forgotten something.  And that simple oversight nearly killed a server.

How to  Prevent This from Happening to You!!

If your hosting provider uses a software manager like Softaculous, I highly recommend forcing the software’s native installer immediately after install.

  1. Install MediaWiki manually or using application manager (i.e. Softaculous)  This will get the files in place, create the database and user, and so on.
  2. If one exists, delete the LocalSettings.php file from the root of the MediaWiki folder. (The MediaWiki installer will create a new file with the settings we need.)
  3. Next, navigate to the following URL to begin the MediaWiki install wizard:
    http://[domain]/[directory]/mw-config/index.php
  4. Complete the first few steps to connect MediaWiki to your database and set the basic details of your site.
  5. Once the basic installation steps are complete, make sure to click “Regenerate LocalSettings.php”.
    MediaWiki 1.22.7 installation 3
  6. Complete the wizard as instructed until you reach the ‘Options” page.
  7. On the “Options” page, pay particular attention to the “User rights profile”section.  This section will set the default permissions for your wiki.
    *** IMPORTANT ***
    I highly recommend setting this to “Authorized editors only” or “Private wiki“.  This will keep the riffraff at bay while allowing you to add content without significant risk of it being replaced or changed unknowingly.  Choosing “Open wiki” or “Account creation required, provides no protection against spammers.  If you choose one of these options, please read “Combating Spam” and Combating Vandalism” to protect yourself and your content from malicious attack.  It’s always best to start more secure in the beginning and ease up on security as needed.  These settings can always be changed in the future.
    MediaWiki 1.22.7 installation User Rights
  8. At the bottom of this page are Extensions that will be helpful in combating spam and vandalism should it get past the authorization barrier.  I’ve highlighted the Extensions useful in preventing and/or cleaning up spam.

    MediaWiki 1.22.7 installation Extensions
    *** Note: Some of these extensions, like ConfirmEdit, require additional setup before they are effective.  Please consult the MediaWiki Extensions page to make sure you’re taking appropriate steps to configure each extension.
  9. Complete the wizard and copy the new LocalSettings.php file to the root of your wiki site.

If you have an existing installation of MediaWiki that hasn’t been hit yet, it is still possible to lock down your site.  Please read “Combating Spam” and “Combating Vandalism” for ways to lock down your site.  In my case, the damage was done and repair took much longer than starting over.

Because I pulled a copy of the database locally before I nuked the site, I was able to restore it to a local MySQL instance, install Mediawiki on my local web server and view my content.  MediaWiki has a build in import/export process which helped me move my content easily and quickly.  I left the revision history out of the export to both minimize size and to make sure I didn’t bring over any of the junk from the spammers.   A quick spot check and a cleaner logo and I’m up and running once again.

Lessons Learned

This is probably not the extent of the lockdown, but it’s enough to get me up and running without worrying too much about the site being pumped full of junk while I sleep.  I certainly know better than to allow Softaculous to install MediaWiki (and most other software) without first reviewing it’s security and recommended configuration.  I’m sure there are ways to have a wiki with a slightly more lax security policy and still keep the spammers at bay.   Considering this is a utility site that will primarily be used by one user, it’s not feasible for me to invest anymore time than I have on this venture.  I hope this experience can save someone else the headache and hassle I’ve had to endure from the hacking of my wiki site.

Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *