Okay, this one's a bit weird. Apparently A hacker is wiping Git repositories and asking for a ransom (of 0.1
Bitcoin). Apparently it was done by scanning the entire web for
/.git/config files and mining those for credentials
(including access tokens and URLs of the form
http://firstname.lastname@example.org. The hacker "replaced" the
contents of the repository with a ransom demand.
The perpetrator is apparently hoping that anyone stupid enough to leave their git repo accessible through the web (I admit -- I used to do that) and to put login credentials in it (no, I'm not that stupid -- that's one of the things everyone is warned about multiple times, just in case it wasn't obvious), is probably stupid enough to pay the ransom instead of simply restoring their repo from any clone of it and changing their password.
And of course it turns out that the entire repo is still there after the attack -- the perpetrator is apparently just adding a commit and pointing HEAD at it. this post on StackExchange explains how to recover.
It's even easier, though, if you've actually been using the repo, because then you'll have a clone of it somewhere and all you have to do is
cd clone git push --force origin HEAD:master
There's still the perp's threat to release your code if you don't pay. If your code is in a public repo on GitHub, GitLab, or BitBucket -- who cares? If it's in a private repo, you may have a problem, provided you (1) think it's likely that this threat can be carried out (there is reason to believe that your code hasn't actually be stashed away anywhere) and (2) you think that whatever secrets may have been in your private repo are worth more than about $570.
You can see by looking at Bitcoin Address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA that, so far (4pm today) nobody has paid up.
- ransomware - GitLab account hacked and repo wiped - Information Security Stack Exchange
- GitHub, GitLab, BitBucket Repos Hit By Ransomware That Demands Bitcoin
- A hacker is wiping Git repositories and asking for a ransom Don't publicly expose .git The last section shows how to block web
access to .git; what you really want to do is block access to all
dotfiles except for
- If you're running Apache and use
mod-rewrite, see https://github.com/h5bp/server-configs-apache/blob/master/src/security/file_access.conf to do exactly that.