To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- ---------- Forwarded message ---------- Date: Wed, 11 Apr 2007 02:32:46 -0500 From: Reed Loden <[EMAIL PROTECTED]> To: funsec@linuxbox.org Subject: [funsec] Widespread vandalism of wikis by some type of bot
I'm seeing _lots_ of wikis vandalized by bots today (Tuesday/Wednesday), and I was wondering if anybody else had noticed this and/or had any more information on what is happening. The wikis I've seen this on all run MediaWiki, so I'm unsure if it affecting only MediaWiki-based wikis or if it extends to others. Also, the bots only seem to be able to attack a wiki if e-mail registration is not required. The bots create accounts and use the accounts for the vandalism, but if e-mail confirmation is set to on, it seems to stop them. Another thing that seems to stop them is a captcha. As far as actions taken by the bots, I've seen HTML that was encoded be decoded, blank lines deleted, and content completely removed. The last one in the list scares me the most, as the bots just "eat" away at the content on the wiki. All changes they make are marked as "minor" and each account only seems to make one change before moving on (or registering a new account?). All the bots seem to have the same type of random account names that seems only to be alphanumeric, contain six characters, and have the first and fourth character be uppercase. Some examples that I found on one of the wikis include: VtjX6p, OcmFis, Gb5Jab, Pm2O0t, SvhYc0, QusUdr, LiiRq5, etc. I'm not sure if this is some type of new virus/trojan infecting users and then vandalizing wikis, but they are definitely coming from multiple IPs. I'm interested in knowing if the IPs are all from a specific area or if they are spread out over various ISPs. Also, I would like to know how the bots are finding the wikis to vandalize. If they are using a specific query on a search engine, the respective search engine might could help stop this madness. If anybody has any information about these bots, please let me know. Thanks, ~reed -- Reed Loden - <[EMAIL PROTECTED]> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
