Recently, A title was marked on every page of the system.
It said: " Introduce my name Fadli, I work as a bug bounty hunter, I found a vulnerability in an existing gitlab system which allows me to change the gitlab administrator/root password and also be able to view all source code and secret credentials. Please reply my email bfadliyanto@gmail.com"
My system version is:
This is why you should upgrade your system regularly.
I suggest you do a backup of your Gitlab data, create a new installation of 13.7.4 and restore your data to it. Then immediate follow the Gitlab upgrade guide documentation to upgrade from 13.7.4 to the latest 16.8.1. You cannot upgrade directly to 16.8.1 you will have to follow the upgrade path as shown in the documentation here: Upgrade GitLab | GitLab and also here which I’ve earmarked to upgrade path from the upgrade path tool generator: Upgrade Path
Then contact the authorities (police) and give them his email address since he has illegally edited your system to display that message. Whether they will do anything though is another matter. You may also wish to check through your Gitlab log files, as perhaps something there will also be able to identify where they are. But they could have always hidden their tracks.
Either way, you need to create a new system to restore your data to, since your server definitely has been compromised. Whether it will restore his message too or not I don’t know - probably yes, but perhaps when you upgrade it will disappear.
Can you even trust any code you have in that repository (including any backups) going forward?
If you know when the intrusion happened, you could restore the backup before that date. However, if you have no idea when it happened, you will definitely have to restore to a new system as @iwalker states, then you’ll have to meticulously inspect all your code. Worth noting is if you have any NodeJS code, pay particular attention to the names of any Node modules you pull in. Easy to change names that look real similar but point to a forked repo with malice within.
This is just speculations. If you do anything based on it, it’s on you!
A real “bug bounty hunter” wouldn’t put such a banner on your installation, and wouldn’t care about such an old version, the whole point of hunting for bug bounties is that some companies (I don’t remember if GitLab is among them) pay you if you find a new problem in their code. Chances are it’s just a silly script kiddie that has used a well documented vulnerability in that old GitLab installation.
I would probably do what @iwalker suggests, but @ak2766 also has a point in saying that you have to decide if you trust any code that has been on the compromised server. In theory the attacker could have changed any of it to do anything (give him a backdoor to whereever it is deployed). But that’s why I believe it’s worth it do think a little about who he (or she) is, my guess is that such a script kiddie wouldn’t even understand most of the code (but you also need understanding of the code that was hosted on your server to make such a conclusion), much less possess the abilities (and even get the idea) to change it. He might also just have copied it, and plan to make it public - is that a threat to you? (Think about what (malicious) customers, competitors, other bad guys, … might use any of the information for) Again it is worth it to think about him and his resources, if you have a lot of code, taking a copy requires a lot of diskspace, but also increases the chance there is something of value in there.
Again: This is just speculations. If you do anything based on it, it’s on you!
