[pmwiki-users] New spammer tactic (fwd)

christian.ridderstrom at gmail.com christian.ridderstrom at gmail.com
Sun Sep 17 16:21:50 CDT 2006


On Sun, 17 Sep 2006, Patrick R. Michaud wrote:

> On Sun, Sep 17, 2006 at 10:20:52PM +0200, christian.ridderstrom at gmail.com wrote:
> > The spammer has created upload directories and placed .html-files there...
> 
> On pmwiki.org...?  Okay, I've turned off uploading of .htm/.html there,
> and removed any existing .htm/.html files.

No, not on pmwiki.org, this was wiki.lyx.org.

I think it is the same spammer that first spent quite an effort to insert 
spam within >>white<<...>><<. Then he started fiddling with attributes of 
various pages, typically LyX/LyX, BibTeX/BibTeX and Playground/Plaground 
etc. He'd often set the upload password.

Then I noticed that he had uploaded files to uploads/Playground/... these 
files where spam for medications. In addition, he had even created a cron 
job that uploaded them repeatedly...

Note that he actually went to the effort of finding the upload password 
(which was documented on Site.AboutUplaods). Also note that the site isn't 
using the standard mechanism for uploading, but another file manager.

Anyway, once I changed the upload password the uploading was stopped.

Oh... the later files that were uploaded didn't have an extension at all.

So this guy was very persistent and went through quite a bit of work... 
and he knows a bit about PmWiki, perhaps even following this list. Of 
course, judging from his fiddling with attributes he must be quite a bit 
of an amateur. I would have done things quite differently.

Here are two IP's I think he has used: 85.202.118.56 and 85.249.85.48
although they probably don't mean much.

/Christian

PS. The guy was still at it just a few minutes ago, trying with 
'Attach:...'. Of course, since I've disabled PmWiki's normal uploading 
mechanism that won't work.

-- 
Christian Ridderström, +46-8-768 39 44               http://www.md.kth.se/~chr


More information about the pmwiki-users mailing list