2004/11/26 03:51: How Wikis get spammed

This was in our access log. Nothing removed to protect the guilty, either.

217.8.227.181 - - [26/Nov/2004:02:54:59 -0700] “GET /wiki/NBTSWikiWiki?edit HTTP/1.1” 200 7843 “http://www.google.ru/search?q=wiki++inurl:edit&num=20&hl=ru&lr=&start=120&sa=N” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

That a GET for the edit page directly, referred by google.ru.

217.8.227.181 - - [26/Nov/2004:02:55:02 -0700] “GET /style.css HTTP/1.1” 200 984 “http://community.nbtsc.org/wiki/NBTSWikiWiki?edit” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

217.8.227.181 - - [26/Nov/2004:02:55:04 -0700] “GET /wiki.css HTTP/1.1” 200 707 “http://community.nbtsc.org/wiki/NBTSWikiWiki?edit” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

Getting the style-sheet. Weird, for a robot, but not unheard of. By the user-agent tag, it might be an automated Internet Explorer process. Six seconds.

217.8.227.181 - - [26/Nov/2004:02:55:34 -0700] “POST /wiki/NBTSWikiWiki HTTP/1.1” 302 - “http://community.nbtsc.org/wiki/NBTSWikiWiki?edit” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

Standard POST, just like all edits. I did not log what fields were filled in, but it might be interesting to see. Thirty seconds. Done by hand?

217.8.227.181 - - [26/Nov/2004:02:55:50 -0700] “GET /wiki/NBTSWikiWiki;1.255 HTTP/1.1” 200 65875 “http://community.nbtsc.org/wiki/NBTSWikiWiki?edit” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; dial; .NET CLR 1.1.4322)”

A GET on the updated page. Probably just because IE does it, not because they’re checking their work. Twenty-five seconds. Or maybe they just have a slow (or distant, they’re coming from Siberia) connection.

Whois says they’re from Siberia, anyway:

inetnum: 217.8.224.0 - 217.8.235.255 netname: SCS-900 descr: Siberian Cellular Systems - 900 descr: GSM provider in Novosibirsk country: RU admin-c: SY27-RIPE tech-c: SY27-RIPE status: ASSIGNED PA notify: hostmaster@scs-900.ru mnt-by: SCS-MNT changed: ip-dbm@ripn.net 20021021 source: RIPE

SORBS says that perhaps that’s a façade:

Address and Port: 217.8.227.181 Record Created: Mon Sep 20 06:39:07 2004 GMT Record Updated: Mon Sep 20 06:39:07 2004 GMT Additional Information: Likely Trojaned Machine, host running Korgo3 trojan Currently active and flagged to be published in DNS

Comments