spam on *base

Lukas 1lukas1 at gmail.com
Fri Jun 24 00:45:48 UTC 2011 

On 23 June 2011 21:08, Anne Wilson <annew at kde.org> wrote:

> On Thursday 23 Jun 2011 18:02:44 Lukas wrote:
> > http://lydgate.org/blogs/?p=283
> >
> > * Is the spam done by bots (replacing entire page), or it looks like like
> > manual "jobs" inserting random bits of spam into genuine code?
> > * post mentions deletes. Could it be that deletes are done by search bots
> > crawling the pages and hitting .php?action=delete links?
> >
> This new attack is the one that I'm concerned about.  Each one comes from
> an
> IP address, IOW not a registered user.  Whois returns show that the IPs are
> registered in many countries, so I concluded that it is a botnet.
>
> Unlike previous spam, it is not concerned with advertising products or
> services, and not inserting external links.  There is a clear pattern in
> it.
> A large section of a page is deleted.  In its place is a remark something
> like
> "And I thought I was the clever one".  I get the impression that there is a
> list of phrases and a random one is being inserted.  It may be coincidence,
> but it seems to me that mis-spellings are being used to avoid regex or some
> other search.  It feels as though a random word is chosen, and two letter
> transposed.  Here's an example from my user notes:
>
> Deleted -
>
> ==Notes from Akademy==
>     +
>  * <s>Oxygen skin makes too little use of wider screens and is equally bad
> on
> hand-helds.</s> Chihuahua is now default and uses all sizes correctly
> (fingers
> crossed)
>     +
> ....
>     +
>  * Ask how to remove accidentally created language page - eg
> http://userbase.kde.org/An_introduction_to_KDE/en-gb
>
> Inserted -
>
> That’s not just logic. That’s relaly sensible.
>
>
Looks like someone is tagging "insecure"  websites. Either for future reuse
just search "
http://www.google.com/search?q=%22That%E2%80%99s+not+just+logic.+That%E2%80%99s+relaly+sensible.%22",
either testing new spam bot, either preparing to control spam bot network.

Anyway, it looks like its more standard attack, rather than direct one on
KDE sites, so it should be possible to prevent them :)

Ingo, could you send me links/quick how to/link to wiki page, so i could
clone current mediawiki current instance and play in local host. Sorry, I'm
not very used to current KDE infrastructure :)

Lukas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.kde.org/mailman/private/kde-www/attachments/20110624/b7c27949/attachment.html>

More information about the kde-www mailing list