I've also had attacks by the same person (using variations of the name -- Kuza22 was the first, and various others), on two different wikis I help manage.
Since this guy seems to be causing problems for a lot of people at the moment, let me describe his modus operandi...
He's adding links, generally doing something like this --
<div id="wiki1883" style="overflow:auto; height: 1px; "> http://casino-on-net.888.web.com http://casino-gaming.888.web.com http://casino-gamble.888.web.com </div>
The 'style' entry in the div causes the text to appear way off the right hand side of the browser screen, although without adding a horizontal scroll bar, hence making it invisible. It's a neat trick...
The URLs are not always the same, I've in the last week had attacks pointing to *coolhost.biz *18.to *url.to *web.com
He generally make many edits to the same page (I'm not sure how he decides his targets), and often even reverts his edits himself! This makes it somewhat harder to notice what's going on, although obviously Recent Changes tells you everything. He's presumably relying on google indexing your page histories; don't let this happen -- I think the canonical solution, at least if you're using apache mod_rewrite to convert URLs like /wiki/Page to /w/index.php?title=Page, is to tell google not to index anything in /w/.
In terms of coping with him, I installed the SpamBlacklist extension. I'm not sure if this worked, or if he just went away. I cleaned up after his attacks by hand, which, for me at least, wasn't too onerous. He makes many many edits, and so fills up your Recent Changes, but they're all on just a few pages. If you change you preferences to use the 'fancy Recent Changes' mode (not sure what it's actually called), you'll be able to see more easily what he's editted. If you need more help cleaning up, and happen to have Mathematica (I know, I know, it's a weird langauge to write these things in...) I have some little programs to help identify un-reverted edits by this asshole.
Hope that helps some people! Scott
Hallo,
in ZUM-Wiki we have had a massive attack of one user yesterday at night. - Now we have to make a lot of rollbacks of all the changes of this one user (calling himselve "Vova93).
Is there an easy way to make a rollback of all changes of this one user together?
Best regards Karl Kirst
Hi,
[...]
<div id="wiki1883" style="overflow:auto; height: 1px; ">
besides installing the blacklist extension, I have set
$wgSpamRegex="/<div/";
so edits which include '<div' should be blocked. (I can't see any of my regular users using <div>...</div>).
Patrick
<div id="wiki1883" style="overflow:auto; height: 1px; ">
besides installing the blacklist extension, I have set
$wgSpamRegex="/<div/";
so edits which include '<div' should be blocked. (I can't see any of my regular users using <div>...</div>).
Isn't it better do use:
$wgSpamRegex="/overflow:auto/";
Because "<div>" can be useful.
Karl Kirst
On 10/12/05, Karl-Otto Kirst post@karl-kirst.de wrote:
<div id="wiki1883" style="overflow:auto; height: 1px; ">
besides installing the blacklist extension, I have set
$wgSpamRegex="/<div/";
so edits which include '<div' should be blocked. (I can't see any of my regular users using <div>...</div>).
Isn't it better do use:
$wgSpamRegex="/overflow:auto/";
Because "<div>" can be useful.
Thanks for these tips, I'll add these to my arsenal. I also got hit by this guy on the GTALUG wiki (http://gtalug.org) and it really pissed me off. I've locked it down and the two others I'm an admin for.
I'll be requiring an update to 1.5, spamassassin, these tweaks and a bit more. I don't think I'll ever allow anonymous editing again, and I'll probably end up with email registration once I figure it out.
Being unable to completely eradicate (not rollback, but delete) edits by a user or IP is really frustrating. Having to ban and hand-edit edits by multiple bots from multiple IPs is outrageous. A properly organized distributed attack could easily completely overwhelm a wiki (countermeasures aren't supplied with mediawiki), requiring a rollback-bot (which isn't supplied with mediawiki) or a database restore followed by a lot of security scaffolding (which isn't supplied with mediawiki).
A default installation of mediawiki is wide open to a lot of different attacks. Small and medium-sized wikis don't have the manpower or tools to fend off bot attacks.
I hope a lot more of these attacks come, and they get a lot smarter.. it'll help push the improvement of defences.
Hi,
besides installing the blacklist extension, I have set
$wgSpamRegex="/<div/";
so edits which include '<div' should be blocked. (I can't see any of my regular users using <div>...</div>).
Isn't it better do use:
$wgSpamRegex="/overflow:auto/";
Because "<div>" can be useful.
Perhaps you are right. But I'll wait for a user's complaint before editing the LocalSettings.php again.
Patrick
mediawiki-l@lists.wikimedia.org