A note from immewnity

October 28, 2024

Hello,

Between October 17 and October 20, the PidgiNet server was compromised by an unknown actor. This attack was noticed on October 26 while completing software upgrades, and I believe I have removed all malicious content as of October 28 (primarily by wiping and restoring from backups).

What (probably) happened

As the attacker wiped system logs, I unfortunately don't have a full picture of what happened, but it appears the compromise occurred due to a vulnerability in a WordPress plugin (the PidgiNet server hosts a few smaller projects like Judge Ball which run on WordPress). A bunch of garbage files were then dumped across the server.

What (probably) didn't happen

Based on the files that were dropped, it does not appear that this attacker was looking to exfiltrate data, but to promote casino/crypto scams. No data was lost, and I have not found any evidence that the database was accessed. Images on PidgiWiki and the PidgiWiki Patreon are completely separate from the website and therefore were unaffected.

What has been done so far

Other than wiping malicious content and restoring from backups, I have hardened the permissions on all hosted sites to hopefully prevent this from occurring again. I have also run various security scans, which have all come back clean so far.

What's next

I am keeping a close eye on the server for any malicious activity, and am looking at additional ways to further lock down permissions on the server. I'm also looking into free/low-cost "offsite" log aggregators, to ensure logs cannot get fully removed.

What should you do?

Even though I have not found evidence of user information being accessed, the following are good steps to take:

Final notes

I sincerely apologize for any issues that may arise from this incident. PidgiWiki was created when I was in middle school, and while the site is in a much more secure state than it was back when I was 13 years old, there were obviously still some misconfigurations. We are in a time of heavy cyberattacks, with even the Internet Archive getting breached this past month, and we were no exception. Again, my sincere apologies.

Sincerely,

immewnity