[Mediawiki-l] My wiki has problems with a californian cracker

Sat Jul 28 15:25:20 UTC 2007

Hello dear MW users,

I write this message because my Wiki was attacked
by a WWW BOT that substituted content of a discussion
page with some links to malicious websites.

This is the vandalized page:
http://web.math.unifi.it/beppolevi/index.php/Discussioni_utente:WikiSysop

and this is the page with infos about that "user":
http://web.math.unifi.it/beppolevi/index.php/Speciale:Contributi/216.93.179.108

All I know is its IP address, 216.93.179.108 .

I tried to query the WHOIS database with the prompt
=================
whois -h whois.arin.net 216.93.179.108
=================

and I got

*********************************

OrgName:    ServePath, LLC
OrgID:      SERVEP
Address:    360 Spear Street.
Address:    Suite 200
City:       San Francisco
StateProv:  CA
PostalCode: 94105
Country:    US

ReferralServer: rwhois://rwhois.servepath.com:4321

NetRange:   216.93.160.0 - 216.93.191.255
CIDR:       216.93.160.0/19
NetName:    SERVEPATH
NetHandle:  NET-216-93-160-0-1
Parent:     NET-216-0-0-0-0
NetType:    Direct Allocation
NameServer: NS.SERVEPATH.COM
NameServer: NS1.SERVEPATH.COM
Comment:
RegDate:    2002-11-15
Updated:    2003-04-10

RNOCHandle: SN458-ARIN
RNOCName:   NOC, ServePath, ServePath
RNOCPhone:  +1-415-252-3600
RNOCEmail:  noc at servepath.com

OrgTechHandle: SN458-ARIN
OrgTechName:   NOC, ServePath, ServePath
OrgTechPhone:  +1-415-252-3600
OrgTechEmail:  noc at servepath.com
***************************************

The IP node is located in San Francisco
(in front of the bridge, following
Google Maps!!).

Of course I cannot be sure the cracker is
actualli in California...

I tried to traceroute that IP with the prompt
=================
traceroute 216.93.179.108
=================

and i got the path that packages do between my
server (Florence, Italy) and San Francisco.
Of course I'm interesting what is hidden behind
the San Francisco node. I can I discover it?

This is the traceroute output:

********************************
traceroute to 216.93.179.108 (216.93.179.108), 30 hops
max, 40 byte packets
 1  10.0.0.2 (10.0.0.2)  8.861 ms  9.097 ms  10.847 ms
 2  FI1IE05R.wind.it (151.6.145.65)  8.943 ms  9.246
ms *
 3  FIAR-B01-Ge2-0.30.wind.it (151.6.69.65)  10.060 ms
 9.180 ms  9.980 ms
 4  151.6.7.29 (151.6.7.29)  15.232 ms  14.774 ms
15.806 ms
 5  212.245.228.62 (212.245.228.62)  15.541 ms  15.081
ms  15.737 ms
 6  so-8-1.car1.Milan1.Level3.net (213.242.65.29)
16.097 ms  16.010
ms  16.254 ms
 7  ae-4-4.ebr2.Paris1.Level3.net (4.69.133.134)
33.281 ms  44.139 ms
 36.062 ms
 8  ae-5.ebr2.Washington1.Level3.net (4.69.132.113)
120.257 ms
118.710 ms  126.568 ms
 9  ae-92-92.csw4.Washington1.Level3.net
(4.69.134.158)  123.717 ms
114.246 ms  123.178 ms
10  ae-94-94.ebr4.Washington1.Level3.net
(4.69.134.189)  121.347 ms
115.675 ms  124.935 ms
11  ae-4.ebr3.LosAngeles1.Level3.net (4.69.132.81)
188.811 ms
186.195 ms  181.196 ms
12  ae-2.ebr3.SanJose1.Level3.net (4.69.132.9)
186.953 ms  190.937 ms
 196.877 ms
13  ae-93-93.csw4.SanJose1.Level3.net (4.69.134.238)
198.998 ms
189.511 ms  198.439 ms
14  ae-92-92.ebr2.SanJose1.Level3.net (4.69.134.221)
190.567 ms
188.511 ms  194.894 ms
15  ae-4-4.car2.SanFrancisco1.Level3.net
(4.69.133.157)  188.257 ms
189.949 ms  189.967 ms
16  ae-11-11.car1.SanFrancisco1.Level3.net
(4.69.133.153)  189.608 ms
332.129 ms  199.655 ms
17  YIPES-ENTER.car1.SanFrancisco1.Level3.net
(63.211.150.226)
189.971 ms  190.346 ms  190.584 ms
18  border-core1-ge3-0.sfo2.servepath.net
(209.213.192.123)  188.986
ms  188.788 ms  190.316 ms
19  customer-reverse-entry.208.96.31.8 (208.96.31.8)
190.327 ms
190.334 ms  189.487 ms
20  customer-reverse-entry.216.93.179.108
(216.93.179.108)  191.396 ms
 190.199 ms  189.544 ms
*********************************

Maybe the last two lines, with "customer-reverse-entry"
can offer more hint for a more deep search.

I ask you to give me hints about how can I
locate that cracker, and on how to avoid
this vandalism in the future.

Best regards,
Giovanni Gherdovich