Please do _only_ address replies to this email to wine-devel@winehq.org ! Remove all other recipients from To and Cc !
Work is currently underway to restore the state of the Appdb to the backup of May 22 07:00 CST.
This morning ( TZ +0200 ) someone used the account "Molle Bestefich" to vandalize the Appdb. He was also seen on IRC and on the wiki. His IP was identified on all three, logs are available. See towards the end of this mail for IRC log snippet and whois on his IP. Please contact me first if you intend to contact abuse or police personal regarding this, so we don't cause headaches or duplicate work. We do not yet know how this person got access to Molle Bestefich his account.
I received 4454 emails about deletes or other actions by the account "Molle Bestefich". Send between "Date: Tue, 22 May 2007 21:43:46 -0500" and "Date: Tue, 22 May 2007 22:18:55 -0500". (2 mails sent by the Appdb in that date range were legit actions.) I don't know if these are all, because admin-accounts were explicitly deleted and thus the notification to them stopped.
The following applications where mentioned in these notification emails: Adobe Illustrator Battlefield 1942 Battlefield 2 Battlefield 2142 Call of Duty 2 Call of Duty Checkpoint Firewall-1 Policy editor Command & Conquer 3: Tiberium Wars Counter-Strike: Source Day of Defeat: Source Deus Ex Diablo II EVE Online F.E.A.R.: First Encounter Assault Recon Final Fantasy XI Online Guild Wars IDA Pro Photoshop S.T.A.L.K.E.R. : Shadow of Chernobyl Soldat Steam Supreme Commander The Elder Scrolls IV: Oblivion Trillian World of Warcraft PunkBuster Rune Igowin Age of Empires Age of Mythology Black & White Brothers in Arms Flash FlatOut .NET Framework Lotus Notes
Some notifcations didn't contain a application of version, here the Message-Id-s of some examples (this is probably a bug in the Appdb code): screen shot Message-Id: E1HqgpS-0008Ay-OM@wine.codeweavers.com test result Message-Id: E1Hqgs7-0001iH-S7@wine.codeweavers.com monitor Message-Id: E1HqgsD-0001mW-It@wine.codeweavers.com bug Message-Id: E1HqhDT-0003xe-GS@wine.codeweavers.com
One message about a rejected bug link seemed like these type of message don't contain any information: Message-Id: E1Hqh5W-0000QE-UG@wine.codeweavers.com
On IRC from the #winehq channel: Mai 23 05:27:14 --> noerrorsfound_ (n=nicholas@h10.66.119.64.ip.alltel.net) has joined #winehq [unrelated stuff deleted] Mai 23 06:21:37 --- noerrorsfound_ is now known as molle-molle-moll Mai 23 06:21:41 <molle-molle-moll> molle molle molle Mai 23 06:21:42 <molle-molle-moll> molle Mai 23 06:21:51 <molle-molle-moll> molle Mai 23 06:22:03 <molle-molle-moll> mole string Mai 23 06:22:18 <molle-molle-moll> hello give thank Mai 23 06:22:18 <-- Amorphous has kicked molle-molle-moll from #winehq (Amorphous)
/whois output: [06:22:38] --- [molle-molle-moll] (n=nicholas@h10.66.119.64.ip.alltel.net) : Nicholas [06:22:38] --- [whoismolle-molle-moll] irc.freenode.net :http://freenode.net/ [06:22:38] --- [molle-molle-moll] End of WHOIS list.
2007-05-23T06:50:15+0200 $ whois 64.119.66.10 OrgName: Windstream Communications Inc OrgID: WINDS-6 Address: 4001 Rodney Parham Rd City: Little Rock StateProv: AR PostalCode: 72212 Country: US
NetRange: 64.119.64.0 - 64.119.79.255 CIDR: 64.119.64.0/20 NetName: WINDSTREAM-COMMUNICATIONS NetHandle: NET-64-119-64-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1-AUTH.WINDSTREAM.NET NameServer: NS2-AUTH.WINDSTREAM.NET NameServer: NS3-AUTH.WINDSTREAM.NET NameServer: NS4-AUTH.WINDSTREAM.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-08-24 Updated: 2007-02-26
OrgAbuseHandle: WINDS1-ARIN OrgAbuseName: Windstream Abuse OrgAbusePhone: +1-888-292-3827 OrgAbuseEmail: abuse@windstream.net
OrgTechHandle: WINDS-ARIN OrgTechName: Windstream Communications Inc OrgTechPhone: +1-800-990-4449 OrgTechEmail: ipadmin@windstream.net
# ARIN WHOIS database, last updated 2007-05-22 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
On Wed, 2007-05-23 at 17:37 +0200, Jan Zerebecki wrote:
The following applications where mentioned in these notification emails: Adobe Illustrator Battlefield 1942 Battlefield 2 Battlefield 2142 Call of Duty 2 Call of Duty Checkpoint Firewall-1 Policy editor Command & Conquer 3: Tiberium Wars Counter-Strike: Source Day of Defeat: Source Deus Ex Diablo II EVE Online F.E.A.R.: First Encounter Assault Recon Final Fantasy XI Online Guild Wars IDA Pro Photoshop S.T.A.L.K.E.R. : Shadow of Chernobyl Soldat Steam Supreme Commander The Elder Scrolls IV: Oblivion Trillian World of Warcraft PunkBuster Rune Igowin Age of Empires Age of Mythology Black & White Brothers in Arms Flash FlatOut .NET Framework Lotus Notes
I also got an e-mail from AppDB saying that "Molle Bestefich" deleted one of my comments for iTunes.
Also, in respect to World of Warcraft (Only notify list I'm on), I saw another deleting quite a bit, as I was saying this morning in #winehq, I recorded deletions by Roop, no clue if they might actually be legit, but there was a lot deleted, so I thought I might throw that out there,
On 5/23/07, Jan Zerebecki jan.wine@zerebecki.de wrote:
Please do _only_ address replies to this email to wine-devel@winehq.org ! Remove all other recipients from To and Cc !
Work is currently underway to restore the state of the Appdb to the backup of May 22 07:00 CST.
This morning ( TZ +0200 ) someone used the account "Molle Bestefich" to vandalize the Appdb. He was also seen on IRC and on the wiki. His IP was identified on all three, logs are available. See towards the end of this mail for IRC log snippet and whois on his IP. Please contact me first if you intend to contact abuse or police personal regarding this, so we don't cause headaches or duplicate work. We do not yet know how this person got access to Molle Bestefich his account.
I received 4454 emails about deletes or other actions by the account "Molle Bestefich". Send between "Date: Tue, 22 May 2007 21:43:46 -0500" and "Date: Tue, 22 May 2007 22:18:55 -0500". (2 mails sent by the Appdb in that date range were legit actions.) I don't know if these are all, because admin-accounts were explicitly deleted and thus the notification to them stopped.
The following applications where mentioned in these notification emails: Adobe Illustrator Battlefield 1942 Battlefield 2 Battlefield 2142 Call of Duty 2 Call of Duty Checkpoint Firewall-1 Policy editor Command & Conquer 3: Tiberium Wars Counter-Strike: Source Day of Defeat: Source Deus Ex Diablo II EVE Online F.E.A.R.: First Encounter Assault Recon Final Fantasy XI Online Guild Wars IDA Pro Photoshop S.T.A.L.K.E.R. : Shadow of Chernobyl Soldat Steam Supreme Commander The Elder Scrolls IV: Oblivion Trillian World of Warcraft PunkBuster Rune Igowin Age of Empires Age of Mythology Black & White Brothers in Arms Flash FlatOut .NET Framework Lotus Notes
Some notifcations didn't contain a application of version, here the Message-Id-s of some examples (this is probably a bug in the Appdb code): screen shot Message-Id: < E1HqgpS-0008Ay-OM@wine.codeweavers.com> test result Message-Id: <E1Hqgs7-0001iH-S7@wine.codeweavers.com > monitor Message-Id: E1HqgsD-0001mW-It@wine.codeweavers.com bug Message-Id: < E1HqhDT-0003xe-GS@wine.codeweavers.com>
One message about a rejected bug link seemed like these type of message don't contain any information: Message-Id: < E1Hqh5W-0000QE-UG@wine.codeweavers.com>
On IRC from the #winehq channel: Mai 23 05:27:14 --> noerrorsfound_ (n=nicholas@h10.66.119.64.ip.alltel.net ) has joined #winehq [unrelated stuff deleted] Mai 23 06:21:37 --- noerrorsfound_ is now known as molle-molle-moll Mai 23 06:21:41 <molle-molle-moll> molle molle molle Mai 23 06:21:42 <molle-molle-moll> molle Mai 23 06:21:51 <molle-molle-moll> molle Mai 23 06:22:03 <molle-molle-moll> mole string Mai 23 06:22:18 <molle-molle-moll> hello give thank Mai 23 06:22:18 <-- Amorphous has kicked molle-molle-moll from #winehq (Amorphous)
/whois output: [06:22:38] --- [molle-molle-moll] (n=nicholas@h10.66.119.64.ip.alltel.net) : Nicholas [06:22:38] --- [whoismolle-molle-moll] irc.freenode.net : http://freenode.net/ [06:22:38] --- [molle-molle-moll] End of WHOIS list.
2007-05-23T06:50:15+0200 $ whois 64.119.66.10 OrgName: Windstream Communications Inc OrgID: WINDS-6 Address: 4001 Rodney Parham Rd City: Little Rock StateProv: AR PostalCode: 72212 Country: US
NetRange: 64.119.64.0 - 64.119.79.255 CIDR: 64.119.64.0/20 NetName: WINDSTREAM-COMMUNICATIONS NetHandle: NET-64-119-64-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1-AUTH.WINDSTREAM.NET NameServer: NS2-AUTH.WINDSTREAM.NET NameServer: NS3-AUTH.WINDSTREAM.NET NameServer: NS4-AUTH.WINDSTREAM.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-08-24 Updated: 2007-02-26
OrgAbuseHandle: WINDS1-ARIN OrgAbuseName: Windstream Abuse OrgAbusePhone: +1-888-292-3827 OrgAbuseEmail: abuse@windstream.net
OrgTechHandle: WINDS-ARIN OrgTechName: Windstream Communications Inc OrgTechPhone: +1-800-990-4449 OrgTechEmail: ipadmin@windstream.net
# ARIN WHOIS database, last updated 2007-05-22 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
Yep, that account was created by the person who was deleting things from the appdb.
As of right now the appdb site is back online, the account we suspect was used to delete the data has been removed, the 'roop' account isn't present and most everything appears to be back, except the screenshots that we had no backup of.
I've also added a comment to the appdb main page to explain the downtime and what we plan to do to improve things. Anyone interested in hacking in php on the appdb is welcome to get in touch with me, there is plenth to hack on ;-)
Also, I'll be updating the cron script so we can remove the screenshot entries that have no corresponding screenshot file.
Chris
On 5/23/07, Bryan Haskins kingofallhearts999@gmail.com wrote:
Also, in respect to World of Warcraft (Only notify list I'm on), I saw another deleting quite a bit, as I was saying this morning in #winehq, I recorded deletions by Roop, no clue if they might actually be legit, but there was a lot deleted, so I thought I might throw that out there,
On 5/23/07, Jan Zerebecki jan.wine@zerebecki.de wrote:
Please do _only_ address replies to this email to wine-devel@winehq.org ! Remove all other recipients from To and Cc !
Work is currently underway to restore the state of the Appdb to the backup of May 22 07:00 CST.
This morning ( TZ +0200 ) someone used the account "Molle Bestefich" to vandalize the Appdb. He was also seen on IRC and on the wiki. His IP was identified on all three, logs are available. See towards the end of this mail for IRC log snippet and whois on his IP. Please contact me first if you intend to contact abuse or police personal regarding this, so we don't cause headaches or duplicate work. We do not yet know how this person got access to Molle Bestefich his account.
I received 4454 emails about deletes or other actions by the account "Molle Bestefich". Send between "Date: Tue, 22 May 2007 21:43:46 -0500" and "Date: Tue, 22 May 2007 22:18:55 -0500". (2 mails sent by the Appdb in that date range were legit actions.) I don't know if these are all, because admin-accounts were explicitly deleted and thus the notification to them stopped.
The following applications where mentioned in these notification emails: Adobe Illustrator Battlefield 1942 Battlefield 2 Battlefield 2142 Call of Duty 2 Call of Duty Checkpoint Firewall-1 Policy editor Command & Conquer 3: Tiberium Wars Counter-Strike: Source Day of Defeat: Source Deus Ex Diablo II EVE Online F.E.A.R.: First Encounter Assault Recon Final Fantasy XI Online Guild Wars IDA Pro Photoshop S.T.A.L.K.E.R. : Shadow of Chernobyl Soldat Steam Supreme Commander The Elder Scrolls IV: Oblivion Trillian World of Warcraft PunkBuster Rune Igowin Age of Empires Age of Mythology Black & White Brothers in Arms Flash FlatOut .NET Framework Lotus Notes
Some notifcations didn't contain a application of version, here the Message-Id-s of some examples (this is probably a bug in the Appdb code): screen shot Message-Id: < E1HqgpS-0008Ay-OM@wine.codeweavers.com> test result Message-Id: < E1Hqgs7-0001iH-S7@wine.codeweavers.com > monitor Message-Id: E1HqgsD-0001mW-It@wine.codeweavers.com bug Message-Id: < E1HqhDT-0003xe-GS@wine.codeweavers.com>
One message about a rejected bug link seemed like these type of message don't contain any information: Message-Id: < E1Hqh5W-0000QE-UG@wine.codeweavers.com>
On IRC from the #winehq channel: Mai 23 05:27:14 --> noerrorsfound_ (n=
nicholas@h10.66.119.64.ip.alltel.net ) has joined #winehq
[unrelated stuff deleted] Mai 23 06:21:37 --- noerrorsfound_ is now known as molle-molle-moll Mai 23 06:21:41 <molle-molle-moll> molle molle molle Mai 23 06:21:42 <molle-molle-moll> molle Mai 23 06:21:51 <molle-molle-moll> molle Mai 23 06:22:03 <molle-molle-moll> mole string Mai 23 06:22:18 <molle-molle-moll> hello give thank Mai 23 06:22:18 <-- Amorphous has kicked molle-molle-moll from #winehq
(Amorphous)
/whois output: [06:22:38] --- [molle-molle-moll]
(n=nicholas@h10.66.119.64.ip.alltel.net ) : Nicholas
[06:22:38] --- [whoismolle-molle-moll] irc.freenode.net
[06:22:38] --- [molle-molle-moll] End of WHOIS list.
2007-05-23T06:50:15+0200 $ whois 64.119.66.10 OrgName: Windstream Communications Inc OrgID: WINDS-6 Address: 4001 Rodney Parham Rd City: Little Rock StateProv: AR PostalCode: 72212 Country: US
NetRange: 64.119.64.0 - 64.119.79.255 CIDR: 64.119.64.0/20 NetName: WINDSTREAM-COMMUNICATIONS NetHandle: NET-64-119-64-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1-AUTH.WINDSTREAM.NET NameServer: NS2-AUTH.WINDSTREAM.NET NameServer: NS3-AUTH.WINDSTREAM.NET NameServer: NS4-AUTH.WINDSTREAM.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-08-24 Updated: 2007-02-26
OrgAbuseHandle: WINDS1-ARIN OrgAbuseName: Windstream Abuse OrgAbusePhone: +1-888-292-3827 OrgAbuseEmail: abuse@windstream.net
OrgTechHandle: WINDS-ARIN OrgTechName: Windstream Communications Inc OrgTechPhone: +1-800-990-4449 OrgTechEmail: ipadmin@windstream.net
# ARIN WHOIS database, last updated 2007-05-22 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.
-- Cheers, Bryan
Yes, EVERYTHING from the listed apps was deleted. The AppDB sends an email for each individual thing though, for instance if an app has 2 versions, 5 sets of test data, 80 comments and 7 screenshots it will send you 94 individual emails with the info from each item that has been deleted.
For the record I have no emails containing "Roop" at all.
Bryan: Don't email the mailing list AND every single person on the list, ONLY mail the list itself.
Ben H.
Bryan Haskins wrote:
Also, in respect to World of Warcraft (Only notify list I'm on), I saw another deleting quite a bit, as I was saying this morning in #winehq, I recorded deletions by Roop, no clue if they might actually be legit, but there was a lot deleted, so I thought I might throw that out there,
On 5/23/07, *Jan Zerebecki* <jan.wine@zerebecki.de mailto:jan.wine@zerebecki.de> wrote:
Please do _only_ address replies to this email to wine-devel@winehq.org <mailto:wine-devel@winehq.org> ! Remove all other recipients from To and Cc ! Work is currently underway to restore the state of the Appdb to the backup of May 22 07:00 CST. This morning ( TZ +0200 ) someone used the account "Molle Bestefich" to vandalize the Appdb. He was also seen on IRC and on the wiki. His IP was identified on all three, logs are available. See towards the end of this mail for IRC log snippet and whois on his IP. Please contact me first if you intend to contact abuse or police personal regarding this, so we don't cause headaches or duplicate work. We do not yet know how this person got access to Molle Bestefich his account. I received 4454 emails about deletes or other actions by the account "Molle Bestefich". Send between "Date: Tue, 22 May 2007 21:43:46 -0500" and "Date: Tue, 22 May 2007 22:18:55 -0500". (2 mails sent by the Appdb in that date range were legit actions.) I don't know if these are all, because admin-accounts were explicitly deleted and thus the notification to them stopped. The following applications where mentioned in these notification emails: Adobe Illustrator Battlefield 1942 Battlefield 2 Battlefield 2142 Call of Duty 2 Call of Duty Checkpoint Firewall-1 Policy editor Command & Conquer 3: Tiberium Wars Counter-Strike: Source Day of Defeat: Source Deus Ex Diablo II EVE Online F.E.A.R.: First Encounter Assault Recon Final Fantasy XI Online Guild Wars IDA Pro Photoshop S.T.A.L.K.E.R. : Shadow of Chernobyl Soldat Steam Supreme Commander The Elder Scrolls IV: Oblivion Trillian World of Warcraft PunkBuster Rune Igowin Age of Empires Age of Mythology Black & White Brothers in Arms Flash FlatOut .NET Framework Lotus Notes Some notifcations didn't contain a application of version, here the Message-Id-s of some examples (this is probably a bug in the Appdb code): screen shot Message-Id: < E1HqgpS-0008Ay-OM@wine.codeweavers.com <mailto:E1HqgpS-0008Ay-OM@wine.codeweavers.com>> test result Message-Id: < E1Hqgs7-0001iH-S7@wine.codeweavers.com <mailto:E1Hqgs7-0001iH-S7@wine.codeweavers.com>> monitor Message-Id: <E1HqgsD-0001mW-It@wine.codeweavers.com <mailto:E1HqgsD-0001mW-It@wine.codeweavers.com>> bug Message-Id: < E1HqhDT-0003xe-GS@wine.codeweavers.com <mailto:E1HqhDT-0003xe-GS@wine.codeweavers.com>> One message about a rejected bug link seemed like these type of message don't contain any information: Message-Id: < E1Hqh5W-0000QE-UG@wine.codeweavers.com <mailto:E1Hqh5W-0000QE-UG@wine.codeweavers.com>> On IRC from the #winehq channel: Mai 23 05:27:14 --> noerrorsfound_ (n= nicholas@h10.66.119.64.ip.alltel.net <mailto:nicholas@h10.66.119.64.ip.alltel.net>) has joined #winehq [unrelated stuff deleted] Mai 23 06:21:37 --- noerrorsfound_ is now known as molle-molle-moll Mai 23 06:21:41 <molle-molle-moll> molle molle molle Mai 23 06:21:42 <molle-molle-moll> molle Mai 23 06:21:51 <molle-molle-moll> molle Mai 23 06:22:03 <molle-molle-moll> mole string Mai 23 06:22:18 <molle-molle-moll> hello give thank Mai 23 06:22:18 <-- Amorphous has kicked molle-molle-moll from #winehq (Amorphous) /whois output: [06:22:38] --- [molle-molle-moll] (n=nicholas@h10.66.119.64.ip.alltel.net <mailto:nicholas@h10.66.119.64.ip.alltel.net>) : Nicholas [06:22:38] --- [whoismolle-molle-moll] irc.freenode.net <http://irc.freenode.net> :http://freenode.net/ [06:22:38] --- [molle-molle-moll] End of WHOIS list. 2007-05-23T06:50:15+0200 $ whois 64.119.66.10 <http://64.119.66.10> OrgName: Windstream Communications Inc OrgID: WINDS-6 Address: 4001 Rodney Parham Rd City: Little Rock StateProv: AR PostalCode: 72212 Country: US NetRange: 64.119.64.0 <http://64.119.64.0> - 64.119.79.255 <http://64.119.79.255> CIDR: 64.119.64.0/20 <http://64.119.64.0/20> NetName: WINDSTREAM-COMMUNICATIONS NetHandle: NET-64-119-64-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1-AUTH.WINDSTREAM.NET <http://NS1-AUTH.WINDSTREAM.NET> NameServer: NS2-AUTH.WINDSTREAM.NET <http://NS2-AUTH.WINDSTREAM.NET> NameServer: NS3-AUTH.WINDSTREAM.NET <http://NS3-AUTH.WINDSTREAM.NET> NameServer: NS4-AUTH.WINDSTREAM.NET <http://NS4-AUTH.WINDSTREAM.NET> Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-08-24 Updated: 2007-02-26 OrgAbuseHandle: WINDS1-ARIN OrgAbuseName: Windstream Abuse OrgAbusePhone: +1-888-292-3827 OrgAbuseEmail: abuse@windstream.net <mailto:abuse@windstream.net> OrgTechHandle: WINDS-ARIN OrgTechName: Windstream Communications Inc OrgTechPhone: +1-800-990-4449 OrgTechEmail: ipadmin@windstream.net <mailto:ipadmin@windstream.net> # ARIN WHOIS database, last updated 2007-05-22 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.-- Cheers, Bryan
-
Ben Hodgetts (Enverex) -
Bryan Haskins -
Chris Morgan -
James Liggett -
Jan Zerebecki