Debian announced early on January 4th that they found some suspicious IPs in their Apache logs.
“The Debian Security Team recently issued Debian Security Announcement
2593-1 [1] regarding the ‘moin’ package [2] and a remote arbitrary
code execution vulnerability in the twikidraw / anywikidraw
components. Debian’s wiki [3] is implemented using ‘moin’ and includes
support for the twikidraw component.”
A quick review of the apache2 log files for wiki.debian.org disclose that this vulnerability was exploited with success. Now, wiki.debian.org has been moved to a new host utilizing the patched package. The team is in the process of an audit of the old server to determine the damage. “At this time, we have no evidence to indicate that the intrusion was particularly successful (logs have not been altered; root escalation has not been detected)”
All existing wiki account holders will require to follow the password recovery process in order to regain access to their accounts.
