www.vim.org is down

[mattn]

It seems database server is down

[Tony Mechelynck]

On 30/04/13 11:06, mattn wrote:
> It seems database server is down
>

I can display http://www.vim.org/ as non-logged-in but an attempt to log
in gives me:

Query attempt failed: Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (2)

while the URL bar gets set to "http://www.vim.org/login.php".


Best regards,
Tony.
--
Faith, n:
That quality which enables us to believe what we know to be
untrue.

[Bram Moolenaar]

Tony Mechelynck wrote:

> On 30/04/13 11:06, mattn wrote:
> > It seems database server is down
> >
>
> I can display http://www.vim.org/ as non-logged-in but an attempt to log
> in gives me:
>
> Query attempt failed: Can't connect to local MySQL server through socket
> '/var/lib/mysql/mysql.sock' (2)
>
> while the URL bar gets set to "http://www.vim.org/login.php".

Yes, the database appears to be down.
They "upgraded" the project recently, but I have no reason to assume
this is related.

Please check the sourceforge site for any known problems.
Or file a support ticket.
I'm afraid I don't have time right now to look into it.

--
hundred-and-one symptoms of being an internet addict:
250. You've given up the search for the "perfect woman" and instead,
sit in front of the PC until you're just too tired to care.

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

[John Beckett]

Bram Moolenaar wrote:
> Yes, the database appears to be down.
> They "upgraded" the project recently, but I have no reason
> to assume this is related.
>
> Please check the sourceforge site for any known problems.
> Or file a support ticket.
> I'm afraid I don't have time right now to look into it.

The database is still there because I'm currently looking at it
through the phpMyAdmin web interface (admin only access). I
can connect to the database and see the tables as normal, and
can run a SQL query to see an individual script.

Standard web browser access to a script like:
http://www.vim.org/scripts/script.php?script_id=231

shows error:

Can't connect to local MySQL server through socket
'/var/lib/mysql/mysql.sock' (2)

Bram reported this same error in February 2011:
https://sourceforge.net/apps/trac/sourceforge/ticket/17514

and the solution was to change $DB_HOST to "mysql-v". However,
that was done two years ago, and I cannot see any indication on
Sourceforge that a change to MySQL has occurred, and I can't
find anything relevant in Google.

I'll poke around some more.

John

[John Beckett]

Bram Moolenaar wrote:
> Please check the sourceforge site for any known problems.
> Or file a support ticket.

I've poked around and can't find anything, so I have filed a
support ticket:
https://sourceforge.net/p/forge/site-support/3872/

John

[Marc Weber]

> Please check the sourceforge site for any known problems.

There are none (http://sourceforge.net/blog/category/sitestatus/)

> ticket
Not sure where to create one which is related to mysql hosting.

I've sent a message to #sourceforge at freenode hoping that staff will
reply soon.

Logging in using SSH I see
ERROR 1203 (42000): User v8rw already has more than 'max_user_connections' active connections
when trying to connect to the database.

If you're looking for scripts you can either try
vim-scripts.org (which should mirror almost all scripts)
or github.com/MarcWeber/vim-addon-manager-known-repositories
(which also contains a full list of all scripts @ www.vim.org, but
withhout description).

If nothing happens till tomorrow I'll try to find different ways to
fix this.

Marc Weber

[Marc Weber]

Excerpts from John Beckett's message of Tue Apr 30 13:22:53 +0200 2013:

admin user: access is ok
rw user "ERROR 1203 (42000): User v8rw already has more than 'max_user_connections' active connections"
ro user (don't know, maybe password is different)

Admin user for the PHP does work, but I'm not happy with that change.
So we have a solution, but I'd still like to wait for staff to reply
before setting up such a change permanently.

Marc Weber

[John Beckett]

The vim.org problem has been fixed by Sourceforge.

However, my checking of some recent changes to the vim.org
database shows that vim.org was scanned by someone with Acunetix
Web Vulnerability Scanner. That was used to generate at least
124 user accounts, including text fields intended to probe for
bugs that might be exploited to break in to the system.

It will take me a few days to think about what to do. After
talking with Bram, I'll delete the junk accounts.

To save people the nuisance of downloading junk scripts, I have
deleted scripts 4555 to 4566 inclusive, and the user who created
them, and the script downloads.

John

[Bram Moolenaar]

John Beckett wrote:

> The vim.org problem has been fixed by Sourceforge.

It still looked broken to me.

After a little digging I discovered that the PHP function we were using
to connect to the database no longer worked. I changed it by one letter
and now it's working again.

Thanks. For the bogus user accounts, please dump the information
and then delete the accounts.

The danger is that someone injects bad code into a popular script.
Please check what scripts changed, if you can.

--
Vi is clearly superior to emacs, since "vi" has only two characters
(and two keystrokes), while "emacs" has five. (Randy C. Ford)

[Marc Weber]

Excerpts from John Beckett's message of Wed May 01 04:29:16 +0200 2013:

> 124 user accounts, including text fields intended to probe for
> bugs that might be exploited to break in to the system.

The bot did at least 20 login attemps per second !

http://www.vim.org/account/register.php
I've added a minimal "I'm human test" - that should at least protect against
"random attacks" made by bots without human intelligence.
And if there are humans running the attack, then we have lost anyway.

So its pretty easy:

create a new table.
Log IP when $_POST is not empty

If an IP is using POST more than 15 times in 4 hours assume its a bot
and die.

A typical session:
- login (POST 1)
- update 5 scriptsr (POST 2-5)

Thus 7 post requests. If you forgett your password 5 times - then you're
still fine.

Yes, there might be false positives - eg many people behind
firewalls try to update their scripts within 4 hours but honestly
scripts are not updated *that* often. Another problem could be you
typing the same password 15 times ..)

If this causing problems, please report it. The die message also tells
this.

vim.org/search.php is not affected, $_GET is used the way it should.
Neither should it affect google (which may also run some post requests,
usually based on JS init scripts)

I hope this makes www.vim.org a lot more "bot proof" now.

The implementation can be found in the datab*.inc file.

Maybe its not the right place, but it should work.

There have been too many issues lately.

Marc Weber

[Marc Weber]

This still does not protect agains resource exhaustion (mysql users
exceeded - which appened). There are modules for apache to prevent
excessive site usage by bot like attacks. Maybe we should propose
sourcreforge to set them up?

Marc Weber

[Marc Weber]

I've introduced a total limit of 500 POST requests within 4h which is
slightly more than POST requests happen within 24h on an average day
(380 posts in 24h)

Thus if a bot uses multiple IPs, he should still fail soon
(unfortunately everybody else, too) - I think its more importatnt to
protect against attacks in these cases.. Because we don't want to delete
that many scripts and user accounts.

I hope vim.sf.net is much safer now. I don't have any additional ideas.
So let me know whether you think these changes are appropriate.

Marc Weber

[Bram Moolenaar]

Thanks for doing this!

I think we can be rather strict. If a human is doing a lot of work, we
can ask him to try again in 4 hours. And send us a message that this
happened, so that we can tune the limit. Perhaps for specific cases.

Please send me a diff of the changes you made (or the new files)
privately. Otherwise a sync from my side might overwrite your changes.
Cc John Beckett, he is also keeping an eye on things.

--
hundred-and-one symptoms of being an internet addict:

255. You work for a newspaper and your editor asks you to write an
article about Internet addiction...in the "first person."

[Christian Brabandt]

Hi Bram!

On Mi, 01 Mai 2013, Bram Moolenaar wrote:

> I think we can be rather strict. If a human is doing a lot of work, we
> can ask him to try again in 4 hours. And send us a message that this
> happened, so that we can tune the limit. Perhaps for specific cases.

I think it just happened:
http://www.vim.org/scripts/script.php?script_id=4509

regards,
Christian
--
Es herrscht Chaos. Wir befinden uns auf einer Drehscheibe, die
Richtung in die Zukunft ist noch nicht gefunden. Vielleicht mu� diese
Menschheit untergehen, damit eine andere entstehen kann.
-- Stanislav Lem

[Marc Weber]

Thanks for reporting - looks like he finally suceeded - and didn't read
the message ..

Hi xingchao,

(this mail also goes to vim_dev mailinglist)

If you cannot upload, you should see a message instead.
Due to attacks we've limited actions to 15 POST requests by IP.
Another global limit does exist.

Do you remember which one was hit? The message should have told you.
Eventually we should allow more operations.

In any case - do you have any idea why "why I can't upload" is shown
that often :) ?

Sincerly
Marc Weber