[Mediawiki-l] HELP request -- Spam pages and FALSE LOGIN pages on wiki

Sat Jan 12 22:09:22 UTC 2008

I am a new administrator and I having a problem with spam on my wiki. Normally I would simply look up the new pages created and delete those pages. However, somehow this user was able to do the following:

  1. Create pages that don't allow me (sysop)  to delete them.
  2. Create pages that don't allow me (sysop) to redirect them.
  3. Create pages that are not listed in "Recent Changes".
  4. Create pages that are not listed in "All Articles"
  5. Create false login pages and copies of real pages that may redirect to other sites?
  6. Create pages with URL names

  Basically, if I had not seen this on my website user tracking log, I would not know these pages even existed. They are "invisible". 

  Here are a few examples:

  1. 
  http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.sima-ic.cz%2F_new%2Fiwer%2Fkepe%2F&amp;amp%3Bamp%3Bamp%3Bamp%3Bamp%
  2. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.sima-ic.cz%2F_new%2Fiwer%2Fkepe%2F&amp;amp%3Bamp%3Bamp%3Bamp%3Bamp%
  3. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.zetesis.biz%2FLMR%2Fixif%2Fuvakuzu%2F&amp;amp%3Bamp%3Bamp%3Bamp%3Ba
  4. http://archivopedia.com/wiki/index.php?title=http%3A%2F%2Fwww.cjp.spb.ru%2Fen%2Ftis%2Fleboma%2F&amp;amp;amp;amp;amp;amp;amp;type=
  5. http://archivopedia.com/wiki/index.php?title=Http://
  6. http://archivopedia.com/wiki/index.php?title=Talk:What_is_a_Wiki%3F&amp;amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Baction=edit&amp;a
  7. http://archivopedia.com/wiki/index.php?Talk:What_is_a_Wiki%3F&amp;amp%3Bamp%3Bamp%3Bamp%3Bamp%3Bamp%3Baction=edit&amp;a
8. http://archivopedia.com/wiki/index.php?Special:Userlogin&amp;amp;amp;amp;amp;amp;amp;returnto=What_is_a_Wiki%3F

  They also created at least one false page like this "Editing TalkTalk:Main Page"
  1. http://archivopedia.com/wiki/index.php?title=TalkTalk:Main_Page&action=edit
  2. http://archivopedia.com/wiki/index.php?:Userlogin&amp;amp;amp;amp;amp;amp;amp;type=http%3A%2F%2Fwww.sectoranime.com
  3. http://archivopedia.com/wiki/index.php?Userlogin&amp;amp;amp;amp;amp;amp;amp;returnto=Main_Page
  4. http://archivopedia.com/wiki/index.php?http%3A%2F%2Fwww.stomol.ru%2Fcatalog%2Fafa%2Fazo%2F&amp;amp;amp;amp;amp;amp;amp;amp;

  As well as what appears to be false login pages like these, possibly designed to steal passwords:
  1. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&amp;amp;amp;amp;amp;amp;amp;type=http%3A%2F%2Fwww.sacred-fr.com%2F
  2. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&amp;amp;amp;amp;amp;amp;amp;amp;returnto=http%3A%2F%2Fwww.scrappin
  3. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&amp;amp;amp;amp;amp;amp;amp;amp;returnto=http%3A%2F%2Fwww.channeln
  4. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&amp;amp;amp;amp;amp;amp;amp;amp;returnto=http%3A%2F%2Fwww.005flowe
  5. http://archivopedia.com/wiki/index.php?title=Special:Userlogin&amp;amp;amp;amp;amp;amp;amp;returnto=What_is_a_Wiki%3F

  Steps I have taken:

  1. Blocked this IP from futher use of my wiki. 
  2. Added recaptcha
  3. Blocked all unregistered user editing privilidges (at least until this problem is resolved)
  4. Added SpamBlacklist extension 
  5. Created a Spam pages and redirected most of these pages I could find to it (but not the login pages and other pages which are duplicates (?) of original pages)

  Remaining Issues.
  * How do I ensure others won't be able to hack into my system and give themselves Admin rights?
  * How do I delete the pages they created?  
  * How do I find out if MORE pages were created in this way--from this IP or other IPs? 
  * How do I put all of the appropriate security measures in place to prevent this from happening again?
  * Should I delete the login and Main Pages and what appear to be other false pages listed above or will this affect the real Main page, and login page, and other REAL pages?
  * Based on these false login pages, is password security really in jeopardy or does it just look that way? What is the best way to handle this situation?

  I could use some assistance from an experienced administrator to help me set up some additional security measures and make corrections.

  The specific IP of the known offending party is: 69.61.45.178

  ARIN shows that this is:

  Global Compass, Inc. NET-GLOBAL-COMPASS (NET-69-61-0-0-1) 
                                  69.61.0.0 - 69.61.127.255
SitiosHispanos.Com NET-69-61-45-176-29 (NET-69-61-45-176-1) 
                                  69.61.45.176 - 69.61.45.183

  There is no information on ARIN where to report abuse.

  Will someone also add this person to the BlockedList?

  Please contact me at my personal email address: shannon_bohle [@] yahoo. 

---------------------------------
Looking for last minute shopping deals?  Find them fast with Yahoo! Search.