Lists via Mailman-users writes:
We are seeing thousands of these emails every day, looks like someone is trying to hack our Mailman3 but would appreciate someone with more knowledge of MM3 to confirm.
Who is "we"? Specifically, do you have something to do with the Fedora Project (Linux distribution)?
To be honest, this looks to me more like collateral damage from a web crawler than a hacking attempt. It's a real service offered by your server (unlike a lot of the bogus requests I see). More below.
Is this a problem with our setup? i.e. the “Internal Server Error” bit, or are the hackers just sending bad data that is causing the error?
I don't think this is a Mailman message, but from Django, or perhaps the 'django_mailman3.lib.auth.fedora' application (not sure whether that's our code, despite the name it's probably calling into code we borrow from Fedora). I'll look into an upstream bug report if this isn't in our code.
also how do we stop/block this?
- Put that URL in robots.txt to keep honest crawlers out (see analysis of example report below).
- Firewall bad bots and script kiddies. That's what I do, anyway.
- Also, if you aren't associated with the Fedora project, you might want to disable the Fedora social auth login (remove it from the installed applications in settings.py). You should be careful about that, because there's a chance some of your users depend on it.
I'm surprised at the "thousands" part. I'd have to see a sample of 10 or 20, and know something about your site, to judge whether *you* are under attack, or if it's just a bunch of low-tech crawleres and kiddies. I see up to a couple hundred a day, with most being attempts to access actual resources via the IP address rather than the domain. Over a couple of years I've banned 772 separate IP addresses (maybe a dozen are netblocks, mostly /24s, but a couple of /16s). I suppose that cuts down the number I see by quite a bit.
Subject: [Django] ERROR (EXTERNAL IP): Internal Server Error: /mailman3/accounts/fedora/login/
Internal Server Error: /mailman3/accounts/fedora/login/
TypeError at /accounts/fedora/login/ _openid_consumer() missing 2 required positional arguments: 'provider' and 'endpoint' Request URL: https://mailman.ardc.net/mailman3/accounts/fedora/login/?process=login&next=/mailman3/hyperkitty/list/44net@mailman.ampr.org/message/O5Z2YZBJZXFPH2ACAORN6BST7B2S3M3P/
This looks like somebody tried to access the "44net" mailing list archive, maybe legitimately but for some reason didn't provide credentials.
This could be script kiddies or perhaps somewhat clumsy reconnaissance to see what social auth you support (although they're usually more secure than passwords). However, REMOTE_ADDR = '157.90.177.212' resolves to 212.177.90.157.in-addr.arpa domain name pointer ninja-crawler64.webmeup.com., which looks like a legitimate but naive web crawler to me. That would explain why they hit the right address (they got the login URL from your top page, and then the provide credentials URL from the login page, and then the submit button). They were just hitting every URL they could parse.
Traceback:
Nothing unexpected there, or in the rest of the diagnostic information.
Steve