[Olpc-sysadmin] wiki Talk:page spam attack

Frederick Grose fgrose at gmail.com
Fri Jul 23 01:14:28 EDT 2010 

wiki.laptop.org is being attacked much like wiki.sugarlabs.org was on 13
July 2010 between 11:21 and 19:22 EDT.

See http://wiki.laptop.org/go/Special:RecentChanges for lines like this:

 N  ! 23:56  User talk:Whereresi‎ (diff; hist) . . (+101) . . Whereresi
(Talk | contribs | block) (Created page with 'wear,
http://dotnetfreak.co.uk/members/Lilian_5F00_Devries.aspx teeth whitening
louisiana , sentence.')


Using OpenID for new accounts authentification seems to have ended the
spamming at wiki.SL, although the autoblocking pattern visible here,
http://wiki.laptop.org/go/Special:BlockList, persists at wiki.SL.


See this post,
http://lists.sugarlabs.org/private/systems/2010-July/002197.html if
subscribed, or this extract:

Almost 150 new accounts were opened, almost all placing spamming links in
> the Talk page.

See http://wiki.sugarlabs.org/go/Special:RecentChanges for that time range.
>
At 18:03 I noticed the attack and blocked the most recent account.
>
> Immediately #369 was (Autoblocked because your IP address has been recently
> used by "Eridalad".)
>
> See http://wiki.sugarlabs.org/go/Special:BlockList
>
> After 5 similar cycles, at 18:35, I sent a note to
> webmaster at sugarlabs.orgwith <http://lists.sugarlabs.org/listinfo/systems> this message,
>
> See http://wiki.sugarlabs.org/go/Special:RecentChanges
>
> ...
>
> - decided to disable wiki account creation with this in
> LocalSettings.php
>
> # 2010-07-13 18:41:59 -0400 fgrose
>
> # Prevent new user registrations except by sysops
>
> # 2010-07-13 19:21:21 -0400 fgrose: commented out for testing
>
> # 2010-07-13 19:24:00 -0400 fgrose: reinhibit
>
> $wgGroupPermissions['*']['createaccount'] = false;
>
> ...
>
> The blocklist and the test at 19:21 showed that the attack had not stopped.
>
> (Notice the pattern of increasing odd number autoblocks.)
>
> - updated  http://wiki.sugarlabs.org/go/MediaWiki:Loginprompt to suggest
> that new users create accounts with an OpenID.
>
> This has prevented the spam, but the server and database may still be under
> attack.
>
>           --Fred
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/olpc-sysadmin/attachments/20100723/e35680bf/attachment.htm

More information about the Olpc-sysadmin mailing list