Welcome to Reddit,

the front page of the internet.
Become a Redditor
and join one of thousands of communities.
×
178
179
180
Background: A few hours ago, while doing a routine Google search for my domain to check if I had inadvertently exposed any details online, I stumbled upon an unexpected mention of my git domain. Intrigued and alarmed, I dug deeper and discovered that an unknown user had created an account on my Gitea server.

Update: maybe not hacked, take with a pinch of salt; registrations were open with e-mail verification, but my password didn't work.

The Hack (simple account creation):

  • User Creation: The user, named 'O', somehow managed to activate their account in late April as if I had approved it myself. (They just verified their e-mail address.)
  • Repository Upload: This user uploaded a massive 4.3 GB repository with a lot update history. It was allegedly forked from https://gitea.lolumi.com/O/O (this was last updated 2 hours ago)
  • Password Tampering: I also found that my admin password had been changed, forcing me to reset it to log in and delete the user/repo. (Idk if it was changed, it didn't work)
On further inspection, I traced back a network of repositories all linked to this mysterious user 'O', hosted across different domains like https://git.pack.house/O/O and https://dagshub.com/O/O. Each repository is similarly structured under /O/O, and I can't for the life of me figure out why or how this user appeared in my system (seems it's just a matter of registering with the open access I didn't close). Storage network? Botnet? Full server & gitea user takeover?

Security Measures:

  • After resetting my password, I deleted the unauthorized user and the large repository.
  • I did a reverse lookup on the email address oooooooooooooooo@eclipso.email used by 'O', which suggested this wasn't their first rodeo—there seems to be a pattern of hopping onto many domains with similar setups. I encourage you to google it yourself

Moving Forward:

  • I've contacted a few other site owners who might be affected based on my findings.
  • I'm considering purging my Forgejo instance. I don't use it much, and it seems to have been compromised.
Has anyone here experienced something similar? Any advice on further preventive measures would be greatly appreciated. I'm especially curious about any insights into stopping such sophisticated intrusions at the server level.
Thanks for any help or insights you can offer!
edit: My repository was in a list such as this one where they post all the repositories they have forked onto open access gitea instances: https://repos.itabas.com/O/O/commit/22dcc8bd6702fda980134df7c55962eea01e4156

Conclusion: don't allow ppl to register if you don't want strange people to register. Also enable e-mail notifications and stuff for events if possible.

all 59 comments
[–]kayson 95 points96 points97 points  (8 children)
Are you 100% sure your instance is set up to require your approval for account activation? It's trivial to find publicly exposed gitea/forgejo instances (see https://www.shodan.io/search?query=gitea), so it's quite easy to create accounts if the instance isn't set up to prevent it. My gitea has registration disabled; yours probably should do.
If your instance is properly configured, then you should definitely report this to both gitea and forgejo maintainers as it's likely there's some kind of security vulnerability that needs to be addressed.
The repository itself is so strange. It's almost like a puzzle. There are tons of random files with windings-like names, all kinds of different filetypes: videos, excel spreadsheet, text, web archives. I think someone is having fun messing with public instances.
[–]jorgo1 32 points33 points34 points  (4 children)
At a glance the repo looks to be some form of substitution cypher. There are portions in the clear and others which are symbols. If the user is using something like sed to replace chunks from a mapping file it would be trivial for them to decode their work but difficult for someone else. They could also be paranoid about having their repo scraped thus the funky obfuscation. The reference to other repos are likely links for their main script to know where to download things from. This person could be storing a backup to their entire OS in random repos all over the internet. Or they could be one screw not fully tightened and in need of mental health advice
[–]Delyzr 19 points20 points21 points  (3 children)
Its a RTL language. You can see files starting (ltr) with VAW, 3PM, GPJ.. which in RTL are extentions: WAV, MP3, JPG, etc. The "symbols" are unicode which are being misinterpreted by our systems as we don't have the set installed. It could be something like arabic or hebrew or any other rtl language.
[–]liggerbreek 9 points10 points11 points  (2 children)
The commit messages are really strange too in that they start rtl, then shift to ltr and repeats the same message. Like they're mirrored.
This is pretty fascinating stuff
I'm actually finding this mirroring in a bunch of things in there. Like this file of.. Poetry? Lyrics?
"YTILAUTЯIW DƎTAƎЯϽFLƎƧ FO TИƎMƎLƎ HϽAƎ HTIW DƎTIИNU ƎϽИƎƧƎ ИWO ⵙ⠀⠀⦿⠀⠀ⵙ OWN ESENCE UNITED WITH EACH ELEMENT OF SELFCREATED WIRTUALITY" and so on. All punctuated and separated with those strange O shapes. https://git.pack.house/O/O/src/branch/%E2%A0%80/%F0%9F%9E%8B/%E1%B3%80/%F0%96%A1%B9/TXT........%E2%A0%80%E2%A0%80%E2%B5%99%E2%A0%80%E1%94%93%E1%94%95%E2%A0%80%E2%B5%99%E2%A0%80%E1%95%A4%E1%95%A6%E2%A0%80%E2%B5%99%E2%A0%80%D0%98N%E2%A0%80%E2%B5%99%E2%A0%80%EA%96%B4%E2%A0%80%E2%B5%99%E2%A0%80%E1%97%9D%E2%A0%80%E2%B5%99%E2%A0%80%D0%98N%E2%A0%80%E2%B5%99%E2%A0%80%EA%96%B4%E2%A0%80%E2%B5%99%E2%A0%80%EA%97%B3%E2%A0%80%E2%B5%99%E2%A0%80%E2%97%AF%E2%A0%80%E2%B5%99%E2%A0%80%E2%88%9E%E2%81%82%E1%90%83%E2%B5%94%EA%9E%89%E2%B5%98%E2%9D%8B%E2%B5%94%E2%B5%94%E2%81%82%E2%9D%8B%E2%9D%8B%E2%B5%94%E2%9D%8B%C2%B7%E2%81%82%E2%9D%8B%E2%9D%8B%E2%B5%88%E2%81%82%E2%9D%8B%E2%B5%94%E2%81%82%E2%9D%8B%EA%9E%89%E2%B5%94%E2%B5%94%E2%B5%94%C2%B7%E2%81%82%E2%B5%94%EA%9E%89%E2%81%82%E2%B5%94%E1%90%83%C2%B7%C2%B7%E2%81%82%E2%81%82%E2%9D%8B%E2%9D%8B%E2%A0%BF%E1%90%83%E2%B5%94%E2%B5%88%E2%B5%94%E2%88%B7%E2%B5%98%E2%81%82%E2%81%82%E2%9D%8B%E2%B5%98%EA%9E%89%EA%9E%89%E2%B5%94%E2%A0%BF%E2%B5%94%E2%88%B7%E2%97%8C%E2%88%B7%E2%9D%8B%E2%A0%80%E2%B5%99%E2%A0%80%E2%A0%80%E2%97%AF%E2%A0%80%E2%A0%80%E2%B5%99%E2%A0%80%E2%A0%80%E2%97%AF%E2%A0%80%E2%A0%80%E2%B5%99%E2%A0%80%E2%9D%8B%E2%88%B7%E2%97%8C%E2%88%B7%E2%B5%94%E2%A0%BF%E2%B5%94%EA%9E%89%EA%9E%89%E2%B5%98%E2%9D%8B%E2%81%82%E2%81%82%E2%B5%98%E2%88%B7%E2%B5%94%E2%B5%88%E2%B5%94%E1%90%83%E2%A0%BF%E2%9D%8B%E2%9D%8B%E2%81%82%E2%81%82%C2%B7%C2%B7%E1%90%83%E2%B5%94%E2%81%82%EA%9E%89%E2%B5%94%E2%81%82%C2%B7%E2%B5%94%E2%B5%94%E2%B5%94%EA%9E%89%E2%9D%8B%E2%81%82%E2%B5%94%E2%9D%8B%E2%81%82%E2%B5%88%E2%9D%8B%E2%9D%8B%E2%81%82%C2%B7%E2%9D%8B%E2%B5%94%E2%9D%8B%E2%9D%8B%E2%81%82%E2%B5%94%E2%B5%94%E2%9D%8B%E2%B5%98%EA%9E%89%E2%B5%94%E1%90%83%E2%81%82%E2%88%9E%E2%A0%80%E2%B5%99%E2%A0%80%E2%97%AF%E2%A0%80%E2%B5%99%E2%A0%80%EA%97%B3%E2%A0%80%E2%B5%99%E2%A0%80%EA%96%B4%E2%A0%80%E2%B5%99%E2%A0%80%D0%98N%E2%A0%80%E2%B5%99%E2%A0%80%E1%97%9D%E2%A0%80%E2%B5%99%E2%A0%80%EA%96%B4%E2%A0%80%E2%B5%99%E2%A0%80%D0%98N%E2%A0%80%E2%B5%99%E2%A0%80%E1%95%A4%E1%95%A6%E2%A0%80%E2%B5%99%E2%A0%80%E1%94%93%E1%94%95%E2%A0%80%E2%B5%99%E2%A0%80%E2%A0%80........TXT
[–]Bekar_vai 1 point2 points3 points  (1 child)
they also appear in endchan . And there's also pdf like these https://endchan.net/.media/6bd5c729dddfc0ec980ada9877edc161-applicationpdf.pdfwhich links almost every word to a google search on google.gr ??
[–]DontBuyMeGoldGiveBTC[S] 0 points1 point2 points  (0 children)
Fed the .txt found on endchan to chatgpt. The summary was somewhat interesting: https://chatgpt.com/share/89a9c8e6-563d-49ad-a297-378b5d8779e7
[–]DontBuyMeGoldGiveBTC[S] 12 points13 points14 points  (1 child)
The repository itself is so strange. It's almost like a puzzle. There are tons of random files with windings-like names, all kinds of different filetypes: videos, excel spreadsheet, text, web archives. I think someone is having fun messing with public instances.
Some of these repositories contain the list of repositories that they have hosted copies on
[–]amarao_san 0 points1 point2 points  (0 children)
Definitively hand-crafted. This beauty does not happens out of random: 𖣠⚪𖢌
[–]DontBuyMeGoldGiveBTC[S] 9 points10 points11 points  (0 children)
Right after making this post I made a new account from a private window and verifying my e-mail address was enough. This proved to me that the "hack" of creating an account didn't happen. The only suspicious thing remaining was my password not working but that can happen due to many things and not necessarily a hack.
The only thing making me not delete this is the weird as fuck repositories being uploaded in the form of a network to all exposed open-registration instances. I should ~~ the full thing.
[–]FactoryOfShit 28 points29 points30 points  (3 children)
This is why Gitlab now requires credit card details to make an unrestricted account. People created bots that took user files, encrypted them, obfuscated them and then scattered them across huge gitlab repositories (with replication, so that if a bot gets banned the files aren't lost), utilizing gitlab.com's free tier as a free cloud storage (and then reselling this to people as a service).
[–]RedditNational856 4 points5 points6 points  (0 children)
That's a smart unethical business
[–]yagotlima -3 points-2 points-1 points  (0 children)
OMG. That's terrifying! I hope they did a good job encrypting those file and keeping the keys safe. But I doubt they did
[–]yagotlima -3 points-2 points-1 points  (0 children)
OMG. That's terrifying! I hope they did a good job encrypting those file and keeping the keys safe. But I doubt they did
[–]SystemEarth 185 points186 points187 points  (3 children)
Tldr; bro opens gitea to the rest of the world and is surprised other people enter.
[–]DontBuyMeGoldGiveBTC[S] 95 points96 points97 points  (1 child)
pikachu face
[–]gambit700 8 points9 points10 points  (0 children)
Internet users to your server: I choose you!
[–]Bright_Mobile_7400 comment score below threshold-29 points-28 points-27 points  (0 children)
Super helpful.
[–]neroeterno 11 points12 points13 points  (5 children)
Wtf is this
Edit: and this
Edit: is it possible to decode these audios and videos? Probably has some hidden messages.
[–]Bekar_vai 3 points4 points5 points  (2 children)
hijacking this comment;
it seems quite a lot of forgeo instance's have the same repo, by simply googling this
there should be other similar repo
[–]neroeterno 6 points7 points8 points  (1 child)
What I understand is that this guy is bad at python and css. Uses firefox and is familiar with firefoxcss. Have no idea about 0.0.0.0 . Most likely created the weird symmetrical images with python. And he is making these shaders using sin, tan and cos in blender. He uses JetBrain products. And there is lot more details.
Edit: His influence.co profile says he is from Belarus.
[–]liggerbreek 5 points6 points7 points  (0 children)
There is a book about alien interviews in there as well, and some document on how to "free yourself from Microsoft and the NSA", which both seem to fit perfectly into a repo like this
[–]Raupe_Nimmersatt 1 point2 points3 points  (0 children)
Da fuq? Strong r/surrealmemes vibes
[–]dibu28 -3 points-2 points-1 points  (0 children)
Chat GPT-4O hiding itself encrypted 🤣🤣🤣
[–]arkane-linux 18 points19 points20 points  (5 children)
Now I am actually curious what this stuff is. Either it is some weird encoded stuff in formats I am not familiar with, or someone is just mentally ill. Based on what this repo contains I guess the latter.
That other instance you linked also has an 8/8 repo, almost guaranteed to be the same person, it contains similar weird stuff, among which at least 1 PDF which chungs the browser as it attempts to render weird patterns with thousands of lines.
[–]DontBuyMeGoldGiveBTC[S] 5 points6 points7 points  (1 child)
I just find it so funny browsing through these files. Check out this folder, which is just a bunch of pngs with strange shapes that look like some autistic person was obsessed with this geometry. I have a family member slightly on the spectrum and this is what his art projects would look like sometimes to a lesser extent. There's also some AI files which might be 3D renderings? Not sure.
[–]ACEDT 2 points3 points4 points  (0 children)
The .ai files are from Adobe Illustrator
[–]fireshaper 2 points3 points4 points  (0 children)
The guy just wants free offsite backups of his repo.
[–]kingb0b 0 points1 point2 points  (1 child)
Can't it also be a troll? Why does everyone just think everything is "mental illness" these days? Some people might just be having fun and testing out scripts that propagate like viruses. 
[–]arkane-linux 1 point2 points3 points  (0 children)
Trolling = mental illness, most of the time.
A self propagating git repo is significantly more far fetched than someone just being sick in the head. That would be a major vulnerability if true, and a claim you make with no evidence to back it up.
[–]hx53 5 points6 points7 points  (5 children)
What Version did you run when the Account was created?
[–]DontBuyMeGoldGiveBTC[S] 1 point2 points3 points  (4 children)
footer says
Powered by Forgejo Version: 1.19.4-0
I did change it from gitea to forgejo, though. I'm not sure if I created the account before or after swapping the binary.
[–]hx53 0 points1 point2 points  (3 children)
That is old Version: 7.0.2+gitea-1.22.0
[–]DontBuyMeGoldGiveBTC[S] 0 points1 point2 points  (2 children)
yup I've never updated it. I probably should've eh? hahah 😅
[–]hx53 9 points10 points11 points  (0 children)
Please. And do it with all Software you run :)
[–]QuadzillaStrider 6 points7 points8 points  (0 children)
Christ...
[–]lucassou 4 points5 points6 points  (0 children)
Based on his fantastic Instagram account he seems Russian https://www.instagram.com/oooo_oooo.oooo_oooo?igsh=NG5sOHhwbHZ3NTZu
I wonder if he used some weird encoding format for his texts which the websites he uploaded his stuff to didn't like much
[–]sslnx 4 points5 points6 points  (4 children)
Client certificate is a must if you expose your service to the internet. Just keep your root CA credentials safe, and only allowed parties will be able to establish a connection. You will definitely sleep better.
[–]DontBuyMeGoldGiveBTC[S] 2 points3 points4 points  (3 children)
I need to read more about this. First time I see a mention.
[–]urinesamplefrommyass 0 points1 point2 points  (2 children)
NetworkChuck Will probably have all tutorials you need. Here's a beginning
[–]DontBuyMeGoldGiveBTC[S] 1 point2 points3 points  (1 child)
I even set up some FRP tunnels to my computer's navidrome and shit and it turns out cloudflare provides it heh. Guess I don't need a VPS after all for this.
[–]urinesamplefrommyass 0 points1 point2 points  (0 children)
NetworkChuck and Wolfgangs channel will probably provide most of your needs in content.
I find NetworkChuck to be best for learning... Well... Network stuff, as he explains a lot like the the video provided.
Wolfgangs is good for finding a better scale on your server needs and setting it up. He's got a very interesting video about what is he running on his server, with a great chapter (23:50 Yeeting my bootdrive and reinstalling from scratch) about an automation to reset everything and build his server from scratch with automations to bring everything back up.
[–]Djdhshsus5737 3 points4 points5 points  (1 child)
Super bizarre.
I think he's mentally ill. Check out his linktree style site. https://oooo.bio.link/
[–]neroeterno 2 points3 points4 points  (0 children)
Probably hiding some messages. Got a lot of images and videos that looks similar and audio files with wierd beeps(or something)
[–]yeewhothis 2 points3 points4 points  (0 children)
def want to turn off self registration (enable the disable self registration) might want to add all this behind a reverse proxy and then add authentication on the reverse proxy level with something like authentik so anyone accessing the site has to authenticate through this before even hitting gitea/any service
on cloudflare you can also block out entire continents, likely bots, and restrict access to only certain IPs to your site so you can block anyone on the cloudflare level before even touching your server
[–]PersonalSafe 3 points4 points5 points  (1 child)
This user also signed up on my gitea server in April! With the same email address. They didn't create the repository and nothing has happened with my password.
Erased their account just now
[–]DontBuyMeGoldGiveBTC[S] 0 points1 point2 points  (0 children)
Aha! I was sure if I made this post here if I'd fish out a few other cases. I'm also planning to contact a bunch of people who got this repo on their server.
Read these comments and close registrations hahah
[–]AdrianTeri 1 point2 points3 points  (0 children)
Any advice on further preventive measures would be greatly appreciated.Any advice on further preventive measures would be greatly appreciated.
Anything that doesn't need public access do NOT avail it via 0.0.0.0/0. This includes ssh access!
Since we're in a tinkerers sub at least spin up a VPN server out of your home.
If you really need to expose things do your research, expose & prod them in a "sanitized" env(accessible via VPN or Localhost only), deploy them to their own sandbox & keep up/subscribe(and I mean 1st thing you wake up to) to news about the project & security bulletins.
[–]toxic_headshot132 1 point2 points3 points  (0 children)
Don't really understand what the ooo is but this is kind of cool if he is using multiple repos as a storage and obfuscating it in such way making it look like a alien transcript 🤣
[–]TurbulentGene694 0 points1 point2 points  (1 child)
What the fuck are those security measures? Where are your passkeys? Why is it open to the world God I don't even wanna know what other security holes you have...
[–]DontBuyMeGoldGiveBTC[S] 0 points1 point2 points  (0 children)
This is my only self hosted thing lol. And a closed navidrome.
[–]phein4242 0 points1 point2 points  (0 children)
Your network is compromised. Start with rebuilding (from scratch) everything which you cannot guarantee to be safe.
[–]CodeDuck1 comment score below threshold-7 points-6 points-5 points  (6 children)
So sorry to hear that... Am wondering if Gitea or Forgejo is not secure enough and someone uses some vulnerabilities to hack the system. I was considering exposing my gitea deployment to public Internet thinking gitea.com is public and mine should be safe too. Might as well keep it private for now after hearing your story
[–]DontBuyMeGoldGiveBTC[S] 12 points13 points14 points  (2 children)
I didn't get hacked. I just checked. I'm just dumb and left it open to registration as long as they "activated" their e-mail address. Don't mind this post and use proper security settings and you should be safe, unlike me who's a retard. :)
[–]Niri333 2 points3 points4 points  (1 child)
But how did your admin password got changed?
[–]DontBuyMeGoldGiveBTC[S] 0 points1 point2 points  (0 children)
no idea lol, that's the wtf making me want to reset my full vps
[–]DontBuyMeGoldGiveBTC[S] 0 points1 point2 points  (2 children)
WAIT, but my password was changed ..? I think? I don't know anymore. I know I had to reset my password and it was saved on Bitwarden. No idea lol.
[–]micalm 2 points3 points4 points  (1 child)
Older admin password saved in BitWarden aka user error? ;) Happens.
I guess if you want to purge then purge, but make an archive of the current state. Both Forgejo and Gitea devs sometimes hop on here, maybe someone will want to investigate further.
And update the main post, on top, that you're unsure what happend. Panic serves noone.
[–]DontBuyMeGoldGiveBTC[S] 1 point2 points3 points  (0 children)
Older admin password saved in BitWarden aka user error? ;) Happens.
I believe I've logged in a few times. Maybe I just have the illusion of logging in, but my workflow tells me I didn't: I create my passwords on Bitwarden and then tap the entry to fill the form fields. I don't create the password and then add it to Bitwarden. If Gitea has a different workflow such as generating a password, maybe that is the case, but I doubt it.