I am a new administrator and I having a problem with spam on my wiki. Normally I would simply look up the new pages created and delete those pages. However, somehow this user was able to do the following:
1. Create pages that don't allow me (sysop) to delete them. 2. Create pages that don't allow me (sysop) to redirect them. 3. Create pages that are not listed in "Recent Changes". 4. Create pages that are not listed in "All Articles" 5. Create false login pages and copies of real pages that may redirect to other sites? 6. Create pages with URL names
Basically, if I had not seen this on my website user tracking log, I would not know these pages even existed. They are "invisible".
Here are a few examples:
1. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.sima-ic.cz%2F_... 2. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.sima-ic.cz%2F_... 3. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.zetesis.biz%2F... 4. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.cjp.spb.ru%2Fe... 5. http://archivopedia.com/wiki/index.php?title=Http:// 6. http://archivopedia.com/wiki/index.php?title=Talk:What_is_a_Wiki%3F&%... 7. http://archivopedia.com/wiki/index.php?Talk:What_is_a_Wiki%3F&%3Bamp%... 8. http://archivopedia.com/wiki/index.php?Special:Userlogin&amp...
They also created at least one false page like this "Editing TalkTalk:Main Page" 1. http://archivopedia.com/wiki/index.php?title=TalkTalk:Main_Page&action=e... 2. http://archivopedia.com/wiki/index.php?:Userlogin&am... 3. http://archivopedia.com/wiki/index.php?Userlogin&amp... 4. http://archivopedia.com/wiki/index.php?http%3A%2F%2Fwww.stomol.ru%2Fcatalog%...;
As well as what appears to be false login pages like these, possibly designed to steal passwords: 1. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&a... 2. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&a... 3. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&a... 4. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&a... 5. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&a...
Steps I have taken:
1. Blocked this IP from futher use of my wiki. 2. Added recaptcha 3. Blocked all unregistered user editing privilidges (at least until this problem is resolved) 4. Added SpamBlacklist extension 5. Created a Spam pages and redirected most of these pages I could find to it (but not the login pages and other pages which are duplicates (?) of original pages)
Remaining Issues. * How do I ensure others won't be able to hack into my system and give themselves Admin rights? * How do I delete the pages they created? * How do I find out if MORE pages were created in this way--from this IP or other IPs? * How do I put all of the appropriate security measures in place to prevent this from happening again? * Should I delete the login and Main Pages and what appear to be other false pages listed above or will this affect the real Main page, and login page, and other REAL pages? * Based on these false login pages, is password security really in jeopardy or does it just look that way? What is the best way to handle this situation?
I could use some assistance from an experienced administrator to help me set up some additional security measures and make corrections.
The specific IP of the known offending party is: 69.61.45.178
ARIN shows that this is:
Global Compass, Inc. NET-GLOBAL-COMPASS (NET-69-61-0-0-1) 69.61.0.0 - 69.61.127.255 SitiosHispanos.Com NET-69-61-45-176-29 (NET-69-61-45-176-1) 69.61.45.176 - 69.61.45.183
There is no information on ARIN where to report abuse.
Will someone also add this person to the BlockedList?
Please contact me at my personal email address: shannon_bohle [@] yahoo.
--------------------------------- Looking for last minute shopping deals? Find them fast with Yahoo! Search.
Here are a few examples:
http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.sima-ic.cz%2F_... 2. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.sima-ic.cz%2F_... 3. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.zetesis.biz%2F... 4. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.cjp.spb.ru%2Fe... 5. http://archivopedia.com/wiki/index.php?title=Http:// 6. http://archivopedia.com/wiki/index.php?title=Talk:What_is_a_Wiki%3F&%3Ba... 7. http://archivopedia.com/wiki/index.php?Talk:What_is_a_Wiki%3F&%3Bamp%3Ba... 8. http://archivopedia.com/wiki/index.php?Special:Userlogin&amp...
Some of those pages don't seem to exist, those that do just redirect to "SPAM" and the histories show just one edit by "Admin1" creating the redirect, except for a couple that seem to be invalid and just default to the main page. What seems to be the problem?
Will someone also add this person to the BlockedList?
What blocked list do you mean? Only you can block people from your site. Just use Special:Blockip.
wiki/index.php?title=http%3A%2F%2Fwww.cjp.spb.ru
In .htaccess slam goes the door:
<IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{QUERY_STRING} http [NC] RewriteRule . - [F] </IfModule>
Shoot first and ask questions later. Not sure what they're up to. Boom anyway.
Am Samstag, den 12.01.2008, 14:09 -0800 schrieb Shannon Bohle:
Basically, if I had not seen this on my website user tracking log, I would not know these pages even existed. They are "invisible".
I guess what you see is "There is currently no text in this page, you can search for this page title in other pages or edit this page." This means that the page does not exist in your wiki. And only that's why you can't delete or redirect them. So don't worry, the spammers did not actually create these pages. They may have added links to the non-existing pages on other pages.
~ Kilian
mediawiki-l@lists.wikimedia.org