WARNING: Lemmy Self-Hosters, There Have Been CSAM Attacks taking place against !lemmyshitpost@lemmy.world

cross-posted from: https://jamie.moe/post/113630

There have been users spamming CSAM content in !lemmyshitpost@lemmy.world causing it to federate to other instances. If your instance is subscribed to this community, you should take action to rectify it immediately. I recommend performing a hard delete via command line on the server.
I deleted every image from the past 24 hours personally, using the following command: sudo find /srv/lemmy/example.com/volumes/pictrs/files -type f -ctime -1 -exec shred {} \;

Note: Your local jurisdiction may impose a duty to report or other obligations. Check with these, but always prioritize ensuring that the content does not continue to be served.

27 comments

Why do these deranged fucks do this
- You really think the trolls would pass up on this golden opportunity?
  
  This isn't trolling, this is just disgusting crime.
  
  Permanently Deleted

Yup. Nope.
Pictrs is just completely disabled now. Rather be safe, then sorry.
- Is this why I couldn't upload a meme to the Lemmy World servers earlier today?
  Fuck...

I got lucky. I am not subscribed to this community, and I am the only person on my instance. But what if I was subscribed and hadn't seen this post? This is too much responsibility for me.
I just shut down my instance until we can disable cached images. If that never happens, then I'm not bringing it back up.
Shout-out to https://github.com/wescode/lemmy_migrate. I moved my subscriptions over in a minute or two, and now, other than not having my post history, it's exactly the same.

I checked and there shouldn't be any images stored on the server when running lemmy 1.18.4. The post was made in high emotional distress and shouldn't be taken at a face value. If the posts are bothering you I advise purging the posts in question. (I have already done that)
- I'm on 1.18.4, once I deleted the most recent images, the former CSAM posts(among others) became broken images. So yes, it was pulling from local disk cache. Then I took care of the posts themselves after the content was invalidated.
- How did you check this? From my understanding, images from external servers are copied (and transcoded) over locally. At least in my server (running 0.18.4), they do.
  
  There is a possibility that my instance is buggy and it isn't caching images even though it should.

To be clear, if no one on a given instance sub to that particular /c, the content won't federate to said instance, correct?
- At this point, the community is clean. So unless more is posted, then you should be good. If someone searched for the community and caused a preview to load while the content was active though, then it could be an issue.

I went ahead and just deleted my entire pictrs cache and will definitely disable caching other servers images when it becomes available.
- Anyone know if this work is tracked anywhere? I’m suddenly really suspicious of continuing to run my own instance.
  
  https://github.com/LemmyNet/lemmy/pull/3897
  It does say "thumbnails" but as far as I know, Lemmy (or pictrs) makes a copy of the full image too. I don't know if this PR includes full images.

I was looking into self hosting. What can I do to avoid dealing with this? Can I not cache images? Would I get in legal trouble for being federated with an instance being spammed?
- Someone else here mentioned not running "pictrs” at all

What's CSAM?
- Just google it.
  Edit: Not Safe For Life
  
  I kind of suspected it's better not to google it at work.

Is it possible to prune pictrs by community name?
- Not really. You could technically locate the images and determine precisely which ones they are from their filenames, but that means you actually have to view the images long enough to pull the URL. I had no desire to view them for even a moment, and just universally removed them.
  As mentioned in my edit above though, ensure you are in compliance with local regulations when dealing with the material in case you have to do any preservation for law enforcement or something.

Likely Spez’s personal jailbait collection

27 comments