[Mediawiki-l] My wiki has problems with a californian cracker
Giovanni Gherdovich
gherdovich at students.math.unifi.it
Sat Jul 28 15:25:20 UTC 2007
Hello dear MW users,
I write this message because my Wiki was attacked
by a WWW BOT that substituted content of a discussion
page with some links to malicious websites.
This is the vandalized page:
http://web.math.unifi.it/beppolevi/index.php/Discussioni_utente:WikiSysop
and this is the page with infos about that "user":
http://web.math.unifi.it/beppolevi/index.php/Speciale:Contributi/216.93.179.108
All I know is its IP address, 216.93.179.108 .
I tried to query the WHOIS database with the prompt
=================
whois -h whois.arin.net 216.93.179.108
=================
and I got
*********************************
OrgName: ServePath, LLC
OrgID: SERVEP
Address: 360 Spear Street.
Address: Suite 200
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US
ReferralServer: rwhois://rwhois.servepath.com:4321
NetRange: 216.93.160.0 - 216.93.191.255
CIDR: 216.93.160.0/19
NetName: SERVEPATH
NetHandle: NET-216-93-160-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Allocation
NameServer: NS.SERVEPATH.COM
NameServer: NS1.SERVEPATH.COM
Comment:
RegDate: 2002-11-15
Updated: 2003-04-10
RNOCHandle: SN458-ARIN
RNOCName: NOC, ServePath, ServePath
RNOCPhone: +1-415-252-3600
RNOCEmail: noc at servepath.com
OrgTechHandle: SN458-ARIN
OrgTechName: NOC, ServePath, ServePath
OrgTechPhone: +1-415-252-3600
OrgTechEmail: noc at servepath.com
***************************************
The IP node is located in San Francisco
(in front of the bridge, following
Google Maps!!).
Of course I cannot be sure the cracker is
actualli in California...
I tried to traceroute that IP with the prompt
=================
traceroute 216.93.179.108
=================
and i got the path that packages do between my
server (Florence, Italy) and San Francisco.
Of course I'm interesting what is hidden behind
the San Francisco node. I can I discover it?
This is the traceroute output:
********************************
traceroute to 216.93.179.108 (216.93.179.108), 30 hops
max, 40 byte packets
1 10.0.0.2 (10.0.0.2) 8.861 ms 9.097 ms 10.847 ms
2 FI1IE05R.wind.it (151.6.145.65) 8.943 ms 9.246
ms *
3 FIAR-B01-Ge2-0.30.wind.it (151.6.69.65) 10.060 ms
9.180 ms 9.980 ms
4 151.6.7.29 (151.6.7.29) 15.232 ms 14.774 ms
15.806 ms
5 212.245.228.62 (212.245.228.62) 15.541 ms 15.081
ms 15.737 ms
6 so-8-1.car1.Milan1.Level3.net (213.242.65.29)
16.097 ms 16.010
ms 16.254 ms
7 ae-4-4.ebr2.Paris1.Level3.net (4.69.133.134)
33.281 ms 44.139 ms
36.062 ms
8 ae-5.ebr2.Washington1.Level3.net (4.69.132.113)
120.257 ms
118.710 ms 126.568 ms
9 ae-92-92.csw4.Washington1.Level3.net
(4.69.134.158) 123.717 ms
114.246 ms 123.178 ms
10 ae-94-94.ebr4.Washington1.Level3.net
(4.69.134.189) 121.347 ms
115.675 ms 124.935 ms
11 ae-4.ebr3.LosAngeles1.Level3.net (4.69.132.81)
188.811 ms
186.195 ms 181.196 ms
12 ae-2.ebr3.SanJose1.Level3.net (4.69.132.9)
186.953 ms 190.937 ms
196.877 ms
13 ae-93-93.csw4.SanJose1.Level3.net (4.69.134.238)
198.998 ms
189.511 ms 198.439 ms
14 ae-92-92.ebr2.SanJose1.Level3.net (4.69.134.221)
190.567 ms
188.511 ms 194.894 ms
15 ae-4-4.car2.SanFrancisco1.Level3.net
(4.69.133.157) 188.257 ms
189.949 ms 189.967 ms
16 ae-11-11.car1.SanFrancisco1.Level3.net
(4.69.133.153) 189.608 ms
332.129 ms 199.655 ms
17 YIPES-ENTER.car1.SanFrancisco1.Level3.net
(63.211.150.226)
189.971 ms 190.346 ms 190.584 ms
18 border-core1-ge3-0.sfo2.servepath.net
(209.213.192.123) 188.986
ms 188.788 ms 190.316 ms
19 customer-reverse-entry.208.96.31.8 (208.96.31.8)
190.327 ms
190.334 ms 189.487 ms
20 customer-reverse-entry.216.93.179.108
(216.93.179.108) 191.396 ms
190.199 ms 189.544 ms
*********************************
Maybe the last two lines, with "customer-reverse-entry"
can offer more hint for a more deep search.
I ask you to give me hints about how can I
locate that cracker, and on how to avoid
this vandalism in the future.
Best regards,
Giovanni Gherdovich
More information about the MediaWiki-l
mailing list