Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Matrix.org hacked? #9435

Closed
jnvsor opened this issue Apr 12, 2019 · 7 comments

Comments

Projects
None yet
7 participants
@jnvsor
Copy link

commented Apr 12, 2019

Description

I haven't been able to connect for a few days

Can't connect to homeserver - please check your connectivity, ensure your homeserver's SSL certificate is trusted, and that a browser extension is not blocking requests.

matrix.org is being served with a github cert, and the contents are:

Time for actual transparency.

Linux ares.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
Linux hera.matrix.org 4.9.0-7-amd64 #1 SMP Debian 4.9.110-3+deb9u2 (2018-08-13) x86_64 GNU/Linux
Linux themis.matrix.org 3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux
Linux hebe 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u4 (2018-08-21) x86_64 GNU/Linux
Linux nyx.matrix.org 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u2 (2018-02-21) x86_64 GNU/Linux
Linux hermes.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.51-2 (2017-12-03) x86_64 GNU/Linux
Linux aphrodite.matrix.org 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux
Linux pheme.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u2 (2017-06-26) x86_64 GNU/Linux
Linux homonoia.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.39-1+deb8u2 (2017-03-07) x86_64 GNU/Linux
Linux hephaestus.matrix.org 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64 GNU/Linux
Linux clio.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
Linux juventas.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u5 (2018-09-30) x86_64 GNU/Linux
Linux iris.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
Linux hypnos.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u6 (2018-10-08) x86_64 GNU/Linux
Linux demeter.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux
Linux phobos.matrix.org 4.9.0-8-amd64 #1 SMP Debian 4.9.110-3+deb9u3 (2018-08-19) x86_64 GNU/Linux
Linux eris.matrix.org 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux

root@hebe:/var/lib/postgresql# df -h
df -h
Filesystem                            Size  Used Avail Use% Mounted on
udev                                   63G     0   63G   0% /dev
tmpfs                                  13G   67M   13G   1% /run
/dev/vda1                             505G  7.6G  492G   2% /
tmpfs                                  63G   28K   63G   1% /dev/shm
tmpfs                                 5.0M     0  5.0M   0% /run/lock
tmpfs                                  63G     0   63G   0% /sys/fs/cgroup
/dev/mapper/data--group-data--volume  9.5T  6.7T  2.4T  74% /mnt/data
tmpfs                                  13G     0   13G   0% /run/user/0
tmpfs                                  13G     0   13G   0% /run/user/1002

$ cat users.txt | grep arathorn | head -n1
@arathorn:matrix.org|$2a$12$u1ual.yp7rnSjXRgwZ5ZIOxa0D9txCT64i3Y/jmbtgQ6ByxVr59zu
$ wc -l users.txt
5493973

See you soon.

Did someone hijack your domain?

@jnvsor jnvsor added the bug label Apr 12, 2019

@kakirastern

This comment has been minimized.

Copy link

commented Apr 12, 2019

I have encountered the same problem myself...

It says Request failed: not found (404) for the App version.

@turt2live turt2live added the security label Apr 12, 2019

@jnvsor

This comment has been minimized.

Copy link
Author

commented Apr 12, 2019

Looks like haveibeenpwnd is getting 5.5m new entries @troyhunt

@serhack

This comment has been minimized.

Copy link

commented Apr 12, 2019

update: the website is being hosted on Github repo

https://github.com/matrixnotorg/matrixnotorg.github.io

@anonymousghoul

This comment has been minimized.

Copy link

commented Apr 12, 2019

I'll just leave this here.

;; QUESTION SECTION:
;matrix.org.			IN	A

;; ANSWER SECTION:
matrix.org.		505	IN	A	185.199.108.153
matrix.org.		505	IN	A	185.199.110.153
matrix.org.		505	IN	A	185.199.111.153
matrix.org.		505	IN	A	185.199.109.153
@lampholder

This comment has been minimized.

Copy link
Member

commented Apr 12, 2019

Hi all,

Thanks for the report - the team is aware and investigating.

@ara4n

This comment has been minimized.

Copy link
Member

commented Apr 12, 2019

This was a DNS defacement due to failing to rotate our master cloudflare API key, which was compromised in the earlier attack. The new production infra itself appears to be secure.

@ara4n ara4n closed this Apr 12, 2019

@ara4n

This comment has been minimized.

Copy link
Member

commented Apr 12, 2019

https://matrix.org/blog/2019/04/11/security-incident/ has more details on this, fwiw.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.