I'm seeing _lots_ of wikis vandalized by bots today (Tuesday/Wednesday), and I was wondering if anybody else had noticed this and/or had any more information on what is happening.
The wikis I've seen this on all run MediaWiki, so I'm unsure if it affecting only MediaWiki-based wikis or if it extends to others. Also, the bots only seem to be able to attack a wiki if e-mail registration is not required. The bots create accounts and use the accounts for the vandalism, but if e-mail confirmation is set to on, it seems to stop them. Another thing that seems to stop them is a captcha.
As far as actions taken by the bots, I've seen HTML that was encoded be decoded, blank lines deleted, and content completely removed. The last one in the list scares me the most, as the bots just "eat" away at the content on the wiki. All changes they make are marked as "minor" and each account only seems to make one change before moving on (or registering a new account?).
All the bots seem to have the same type of random account names that seems only to be alphanumeric, contain six characters, and have the first and fourth character be uppercase. Some examples that I found on one of the wikis include: VtjX6p, OcmFis, Gb5Jab, Pm2O0t, SvhYc0, QusUdr, LiiRq5, etc.
I'm not sure if this is some type of new virus/trojan infecting users and then vandalizing wikis, but they are definitely coming from multiple IPs. I'm interested in knowing if the IPs are all from a specific area or if they are spread out over various ISPs. Also, I would like to know how the bots are finding the wikis to vandalize. If they are using a specific query on a search engine, the respective search engine might could help stop this madness.
If anybody has any information about these bots, please let me know.
Thanks, ~reed
If they create accounts to vandalize, mark as minor, etc. it's likely MediaWiki specific. "HTML that was encoded be decoded, blank lines deleted" don't really know what you mean, but can be part in their processing (eg. changing entities by their decoded). If Content removing then revert. Can you point at some vandalizing examples?
Hello Reed Londen,
The best thing to do here would be to install a captcha on your wiki, or get all of the wikis that are being vandalized to. You do not want a vandal bot to begin to move pages to random names after clearing their content to random characters, because then all you can really look at doing is loading a database backup.
A captcha will protect against all of this, because there are tools available (in maintenance) which will revert all edits of a particular user, so if the bot requires one valid login most of these tricky vandalism tactics will fail.
Requiring an email is almost as effective, but you must take into consideration that it is still possible for the vandal bot to destroy your site if the vandal does not care about identity (the FBI will do nothing in the US if there is not a huge amount of money or revenue lost, and they will especially not do anything if it is for a non-profit wiki). They could easily set up a MAILER-DAEMON for Postfix or Exim or whatnot and an MX record pointing to that on a cheap domain, and then you can be compromised just as easily.
I hope that this helps, Kasimir
On 4/11/07, Platonides Platonides@gmail.com wrote:
If they create accounts to vandalize, mark as minor, etc. it's likely MediaWiki specific. "HTML that was encoded be decoded, blank lines deleted" don't really know what you mean, but can be part in their processing (eg. changing entities by their decoded). If Content removing then revert. Can you point at some vandalizing examples?
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
mediawiki-l@lists.wikimedia.org