Mfcttrf

I was working on a project, a private repo, and suddenly all the commits disappeared and were replaced with a single text file saying

To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin
(BTC) to our Bitcoin address 1ES14c7qLb5CYhLMUekctxLgc1FV2Ti9DA and
contact us by Email at admin@gitsbackup.com with your Git login and a
Proof of Payment. If you are unsure if we have your data, contact us
and we will send you a proof. Your code is downloaded and backed up on
our servers. If we dont receive your payment in the next 10 Days, we
will make your code public or use them otherwise.

At the time of this happening, Google search didn't show up anything, but in an hour or so this started coming up.

I am using SourceTree (always up-to-date) but somehow I doubt that SourceTree is the issue, or that my system (Windows 10) was compromised. I'm not saying it's not that, it's just that I doubt it.

This happened only to one of my repositories (all of them private) and all the others were left untouched. I changed my password, enabled 2 factor authentication, removed one access token that I wasn't using for years and wrote an email to GitLab in the hopes that they could tell me something about where/who the attacker got in.

My password was a weak one that could've been relatively easily cracked via brute-force (it's not a common one but starts with "a" and has only a-z characters in it) and it could be that they just automatically checked if they can access the account and then ran some git commands. It is also possible that my email address and that particular password are on a list of leaked accounts. One might argue that if this is how they got in, they would've simply changed the account credentials but searching the Internet revealed that in these cases GitLab/GitHub will simply restore the credentials for you, and so I assume this is why they didn't do it this way.

Could've also been that old access token, I can't remember what and where I used it for in the past - most likely generated for use on a computer I previously owned, so I doubt that that was the issue.

There are also 4 developers working on it, all having full access to the repository, so their accounts being compromised is also a possibility.

I've scanned my computer with BitDefender and couldn't find anything but I am not doing shady things on the internet so I don't think that me being infected with a malware/trojan is what caused this.

I am waiting for an answer from GitLab and maybe they can shed some light on this. I have the code base on my local Git, so that is not an issue, but I am not pushing the code back to the repository just yet. Also, just in case the code gets published somewhere, I will change any passwords that are to be found in the source (databases, IMAP accounts)

UPDATE

I found out that the code isn't gone. I tried accessing a commit's hash and it worked. So the code is there but there's something wrong with the HEAD. My knowledge on this is very limited but

git reflog

shows all my commits.

What this means to me is that the attackers most likely didn't clone the repositories (would be a logistical nightmare to do this for all the victims, anyway) and that the chances for them going over the source code looking for sensitive data, or of making the code public are low. It also means to me that is not a targeted attack but a random, bulk attack, carried out by a script. I really hope this is the case for our own sake!

UPDATE 2

So, if you do

git checkout origin/master

you will see the attacker's commit

git checkout master

you will see all your files

git checkout origin/master
git reflog # take the SHA of the last commit of yours
git reset [SHA]

will fix your origin/master...but

git status

now will say

HEAD detached from origin/master

still searching for a fix on this

UPDATE 3

If you have the files locally, running

git push origin HEAD:master --force

will fix everything. See Peter's comment

So, the question is what commands will get my repository back to the previously working state assuming you don't have the repo locally, as for how the attacked got in, I am hoping that the answer from GitLab (if any) will help us more.

There is a discussion going on here

The attack targets GitHub, BitBucket and GitLab accounts. Here's the magnitude on GitHub's public repos

Use git push -u origin master -f && git push --tags -f from your local clone to push all references for master, tags and so on to the remote and then enable 2FA in your account.

If more branches are affected use git push -u --all -f

If more branches are affected, you may need to checkout all branches first with the following command before performing git push -u --all -f

for branch in `git branch -a | grep remotes | grep -v HEAD | grep -v master `; do
 git branch --track $branch#remotes/origin/ $branch
done

https://gist.github.com/octasimo/66f3cc230725d1cf1421

I doubt that the hackers pushed a "delete all" commit, or else you could simply revert the last commit. Rather, they force-pushed a different commit with the note to the HEAD of the master branch, making it look like your entire commit history is gone.

As others have pointed out, you can easily use a local repo to re-push your code to the server. Due to the distributed nature of Git, this always works whether or not the server was wiped since every local repo has a complete clone of the server, including both commits and code. Of course, you should make sure the server has been secured first before attempting recovery efforts. :-)

If you don't have a local repo that includes the most recent commit, the commit history (and all associated files) will still exist on the server for a while. However, the server will eventually run git gc, which will clean up those unreachable commits. As of 2013, GitHub said they will run git gc at most once per day but it can also be triggered manually, while BitBucket will run it as needed, or perhaps after each push. GitLab runs it after 200 pushes by default, or it can be triggered manually.

However, even if all of the commits and files are still on the server, you would need to find the hash of the commit so you can restore it. Without a local repo with a reflog, it's hard to find the correct commit to restore. Some ideas that you could try:

• Pull requests are typically kept forever, so you should be able to look at the most recent pull request merged into the master branch. Just make sure to pick the hash of the merge commit, not the hash of the branch. (GitHub has a green check mark next to the merge commit hash, GitLab shows "merged into master with", not sure about BitBucket).


• If you have a build server, see what the most recent build of the master branch was (perhaps in the build log?)