Anti-Spam measures for the Wiki. Names are (Suggested/Implemented), or both, if the same person. The source for the current wiki CGI script, and the patch stack, are available here.

Already implemented

Developed but not applied

In progress

Recent spam analysis

I said I'd have a look at the apache logs and see what's going on at the time of the wiki spam attack. With this information we might be able to prepare better defences. I started by grabbing the apache access logs for the hantslug site down to my local machine. Don't fear though I shall not release any information about anyones browsing habbits, I'm only interested in the hacks ma'am, just the hacks.

Next I grabbed a page that was hacked recently, here's a good one - the inter mezzo page will be easy to grep for.

 http://www.hantslug.org.uk/cgi-bin/wiki.pl?[[LinuxHints/InterMezzo]]
The spammer appeared to commit their changes twice, once at 23:17 and again at 23:19.
 Revision 35 . . February 16, 2005 11:19 pm by 69.50.166.2-custblock.intercage.com
 Revision 34 . . February 16, 2005 11:17 pm by 69.50.166.2-custblock.intercage.com
I found the first visit to that page that day.
 218.103.59.59 - - [[16/Feb/2005:03:50:08|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[LinuxHints/SambaAuth]] HTTP/1.0" 200 1137 "-" "libwww-perl/5.803"
 218.103.59.59 - - [[16/Feb/2005:03:50:12|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[MailingList/TopPosting]] HTTP/1.0" 200 1137 "-" "libwww-perl/5.803"
 218.103.59.59 - - [[16/Feb/2005:03:50:16|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[AboutWiki]] HTTP/1.0" 200 1137 "-" "libwww-perl/5.803"
 218.103.59.59 - - [[16/Feb/2005:03:50:28|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[LinuxHints]] HTTP/1.0" 200 1137 "-" "libwww-perl/5.803"
 218.103.59.59 - - [[16/Feb/2005:03:50:40|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[LinuxHints/InterMezzo]] HTTP/1.0" 200 1137 "-" "libwww-perl/5.803"
Note with interest that netblock is owned by someone in the far east..
Next we look for all other visits from that IP.. Boy oh boy it's hit every page - some many times.
 218.103.59.59 - - [[16/Feb/2005:03:50:08|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[LinuxHints/SambaAuth]] HTTP/1.0" 200 1137 "-" "libwww-perl/5.803"
 :
 : snipped 591 lines
 :
 218.103.59.59 - - [[16/Feb/2005:04:37:17|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[LinuxHints/UpdatingGrub]] HTTP/1.0" 200 1137 "-" "libwww-perl/5.803"
Thats about 590 odd hits over a 40 min period which equates to about 15 a minute or one hit every 4 seconds. I don't care how fast [[ThomasAdam]] is at maintaining the wiki, he can't keep up with this puppy!
Ok, move on to look for the next hits because those times don't tie up with the times of the spam. Scout forewards to the next hits on the mezzo page..
 69.50.166.2 - - [[16/Feb/2005:23:17:19|+0000]] "POST /cgi-bin/wiki.pl HTTP/1.0" 302 162 "-" "libwww-perl/5.803"
 69.50.166.2 - - [[16/Feb/2005:23:17:20|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[LinuxHints/InterMezzo]] HTTP/1.0" 200 14270 "-" "libwww-perl/5.803"
 69.50.166.2 - - [[16/Feb/2005:23:17:21|+0000]] "POST /cgi-bin/wiki.pl HTTP/1.0" 302 195 "-" "libwww-perl/5.803"
 69.50.166.2 - - [[16/Feb/2005:23:17:22|+0000]] "GET /cgi-bin/wiki.pl?action=edit&id=[[MailingList/UnSubscribe]] HTTP/1.0" 200 3088 "-" "libwww-perl/5.803"
Some GETs and POSTs, this is where the hack actually took place. Note the IP address ties up with the RDNS recorded in the recent changes to the page.
After that the next hit to that page were the recovery of it by the crack wiki-fix team.

Here's what we learn.

 [1] http://taka.no32.tk/diary/?date=200501
 [2] http://www.yaizawa.jp/diary/?date=20050118
 [3] http://www.fkimura.com/diary/?date=20050114

Some suggestions which may need to be moved to the next section down, but which appear appropriate here because they are directly related to the above research.

 [[RewriteCond]] %{HTTP_USER_AGENT} ^libwww-perl/[0-9] [NC] 

The above was initially written by AlanPope

Suggestions

AntiSpam (last edited 2009-01-04 15:03:50 by 195)