Aria Stewart (aredridel) wrote,
Aria Stewart

How Wikis get spammed

This was in our access log. Nothing removed to protect the guilty, either. - - [26/Nov/2004:02:54:59 -0700] “GET /wiki/NBTSWikiWiki?edit HTTP/1.1” 200 7843 “” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

That a GET for the edit page directly, referred by - - [26/Nov/2004:02:55:02 -0700] “GET /style.css HTTP/1.1” 200 984 “” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)” - - [26/Nov/2004:02:55:04 -0700] “GET /wiki.css HTTP/1.1” 200 707 “” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

Getting the style-sheet. Weird, for a robot, but not unheard of. By the user-agent tag, it might be an automated Internet Explorer process. Six seconds. - - [26/Nov/2004:02:55:34 -0700] “POST /wiki/NBTSWikiWiki HTTP/1.1” 302 - “” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

Standard POST, just like all edits. I did not log what fields were filled in, but it might be interesting to see. Thirty seconds. Done by hand? - - [26/Nov/2004:02:55:50 -0700] “GET /wiki/NBTSWikiWiki;1.255 HTTP/1.1” 200 65875 “” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

A GET on the updated page. Probably just because IE does it, not because they’re checking their work. Twenty-five seconds. Or maybe they just have a slow (or distant, they’re coming from Siberia) connection.

Whois says they’re from Siberia, anyway:

inetnum: - netname: SCS-900 descr: Siberian Cellular Systems - 900 descr: GSM provider in Novosibirsk country: RU admin-c: SY27-RIPE tech-c: SY27-RIPE status: ASSIGNED PA notify: mnt-by: SCS-MNT changed: 20021021 source: RIPE

SORBS says that perhaps that’s a façade:

Address and Port: Record Created: Mon Sep 20 06:39:07 2004 GMT Record Updated: Mon Sep 20 06:39:07 2004 GMT Additional Information: Likely Trojaned Machine, host running Korgo3 trojan Currently active and flagged to be published in DNS


  • rpc.statd goes wild!

    I came in to work today to find my mac workstation spinning running rpc.statd at 100% CPU. A quick dtruss -n rpc.statc showed that it was looping…

  • Useful Javascript

    I just created a drop-down menu with an option to add your own entries. Feel free to use. The skinny. Demo.

  • (no subject)

    I just asked my OpenSRS/Tucows domain reseller rep about AAAA (IPv6) glue records: They are planning to support them soon! In the mean time, they…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded