There is a Hack which seems to affect a lot of selfhosted Gitlab Instances with enabled “self-registration”.
I have the exact same Issue as described in the following link.
If you google the username, you can find public repositories which are also hacked, all at the same day (like mine). Because these Repositories and instances are public, they show up in Google.
But also non public repositories are affected (like mine and the author of the blog article)
The hack aims to access the file
/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml with a trick by moving a ticket to another project.
The question is: Was it successful???
The created ticket content in my instance looks like the following:
But If i manuall follow the link, by clicking the link, i get a 404 page.
This is a good sign, right?
I have seen other instances (mentioned earlier), where you could really download a
secrets.yml filled with the correct looking typical content. Of cause i don’t know if this was the actual real content… (but i would guesss).
Despite from that… How can we refresh the secrets, so that the old ones are invalid?
For all others out there: Have a look for newly created user accounts, two new projects and one moved ticket! As i have seen so far, they are all named the same (projects ‘test8’ and ‘test9’, ticket ‘issue1’ from user ‘johnyj12345’)
What have i done: i disabled my instance, disabled self account registration for the future and blocked the user. Anything else to be aware of?