[pmwiki-users] New spammer tactic (fwd)
IchBin
weconsul at ptd.net
Sun Sep 17 18:18:17 CDT 2006
christian.ridderstrom at gmail.com wrote:
> On Sun, 17 Sep 2006, Patrick R. Michaud wrote:
>
>> On Sun, Sep 17, 2006 at 10:20:52PM +0200, christian.ridderstrom at gmail.com wrote:
>>> The spammer has created upload directories and placed .html-files there...
>> On pmwiki.org...? Okay, I've turned off uploading of .htm/.html there,
>> and removed any existing .htm/.html files.
>
> No, not on pmwiki.org, this was wiki.lyx.org.
>
> I think it is the same spammer that first spent quite an effort to insert
> spam within >>white<<...>><<. Then he started fiddling with attributes of
> various pages, typically LyX/LyX, BibTeX/BibTeX and Playground/Plaground
> etc. He'd often set the upload password.
>
> Then I noticed that he had uploaded files to uploads/Playground/... these
> files where spam for medications. In addition, he had even created a cron
> job that uploaded them repeatedly...
>
> Note that he actually went to the effort of finding the upload password
> (which was documented on Site.AboutUplaods). Also note that the site isn't
> using the standard mechanism for uploading, but another file manager.
>
> Anyway, once I changed the upload password the uploading was stopped.
>
> Oh... the later files that were uploaded didn't have an extension at all.
>
> So this guy was very persistent and went through quite a bit of work...
> and he knows a bit about PmWiki, perhaps even following this list. Of
> course, judging from his fiddling with attributes he must be quite a bit
> of an amateur. I would have done things quite differently.
>
> Here are two IP's I think he has used: 85.202.118.56 and 85.249.85.48
> although they probably don't mean much.
>
> /Christian
>
> PS. The guy was still at it just a few minutes ago, trying with
> 'Attach:...'. Of course, since I've disabled PmWiki's normal uploading
> mechanism that won't work.
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
I tracked down the ISP's for those two IP addresses. They are both in
Europe (Russia & Ukraine). The Ukraine ISP has an abuse address
(abuse at volia.net). The Russian ISP does not have one.
Here is ISP Information for: *85.249.85.48* (Russia)
inetnum: 85.249.80.0 - 85.249.95.255
netname: INFOCENTER
descr: JSC "INFOCENTER" Network
country: RU
admin-c: AVT27-RIPE
tech-c: AID17-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: ELTEL-RIPE-MNT
source: RIPE # Filtered
person: Andrey V Tsepilov
address: OOO “InfoCenter”
address: Gorohovaja, 20
address: Vladimir
address: Russia
remarks: phone: +7 0922 410444
phone: +7 4922 410444
remarks: fax-no: +7 0922 410444
fax-no: +7 4922 410444
e-mail: tsepilov at vladinfo.ru
nic-hdl: AVT27-RIPE
mnt-by: ELTEL-RIPE-MNT
source: RIPE # Filtered
remarks: modified for Russian phone area changes
person: Alexey I Dementiev
address: OOO “InfoCenter”
address: Gorohovaja, 20
address: Vladimir
address: Russia
remarks: phone: +7 0922 410444
phone: +7 4922 410444
remarks: fax-no: +7 0922 410444
fax-no: +7 4922 410444
e-mail: tsepilov at vladinfo.ru
nic-hdl: AID17-RIPE
mnt-by: ELTEL-RIPE-MNT
source: RIPE # Filtered
remarks: modified for Russian phone area changes
Here is ISP Information for: *85.202.118.56* (Ukraine)
inetnum: 85.202.96.0 - 85.202.127.255
netname: VOLIA
descr: Volia ISP Dynamic IP Pool #3
country: UA
admin-c: VNCC-RIPE
tech-c: VNCC-RIPE
status: ASSIGNED PA "status:" definitions
remarks: ------------------------------------------
remarks: This pool used for Volia Broadband service
remarks:
remarks: To postmasters: You MAY discard SMTP con-
remarks: nections from this subnet - customers MTAs
remarks: can't appear here due our SLA.
remarks: ------------------------------------------
mnt-by: VOLIA-MNT
source: RIPE # Filtered
role: Volia ISP Network Coordination Center
address: Volia ISP
address: ap 37, 17V I.Franko st, Kiev
address: Ukraine (UA) 01030
phone: +380 44 2356568
fax-no: +380 44 2356568
admin-c: VEG1-RIPE
admin-c: DK109-RIPE
tech-c: DK109-RIPE
tech-c: CZ602-RIPE
tech-c: VAG25-RIPE
tech-c: AV2437-RIPE
tech-c: SA1215-RIPE
nic-hdl: VNCC-RIPE
abuse-mailbox: abuse at volia.net
remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - -
remarks:
remarks: Volia, Volia Cable, Volia ISP contacts:
remarks:
remarks: International dialing code..: +380-44 (Kiev, Ukraine)
remarks: Time Zone...................: Eastern European Time Zone
remarks:
remarks: Press
remarks: -----
remarks: PR department...............: 207-7092
9:00-18:00
remarks: PR department...............: info at voliacable.com
remarks: Corporate web site..........: http://www.volia.com/
remarks:
remarks:
remarks: New subscription
remarks: ----------------
remarks: Home users..................: sales at voliacable.com
remarks: Home users..................: 541-9040, 541-9041
8:00-21:00
remarks: Home users..................: 502-2250
8:00-21:00
remarks: Corporate customers.........: 207-7090
9:00-18:00
remarks: Dealers.....................: 590-2614
9:00-18:00
remarks:
remarks:
remarks: Existent customers
remarks: ------------------
remarks: Broadband helpdesk..........: 541-9010, 502-4028
0:00-24:00
remarks: Digital TV helpdesk.........: 541-9020
0:00-24:00
remarks: Analogue TV helpdesk........: 541-9000
0:00-24:00
remarks: Billing and administrative..: abonents at voliacable.com
remarks: Technical issues............: support at voliacable.com
remarks:
remarks:
remarks: Other contacts
remarks: --------------
remarks: Routing and MAN ops.........: 235-6568
0:00-24:00
remarks: Routing and MAN ops.........: noc at volia.net
remarks: Local Internet Registry.....: lir at volia.net
remarks: Spam,attacks,virus reports..: abuse at volia.net
remarks: Peering requests............: peering at volia.net
remarks: E-Mail related problems.....: postmaster at volia.net
remarks: DNS and domains questions...: hostmaster at volia.net
remarks: Usenet, newsfeeds...........: newsmaster at volia.net
remarks:
remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - -
mnt-by: VOLIA-MNT
source: RIPE # Filtered
% Information related to '85.202.0.0/16AS25229'
route: 85.202.0.0/16
descr: Volia ISP Primary Route
origin: AS25229
mnt-by: VOLIA-MNT
source: RIPE # Filtered
--
Thanks in Advance...
IchBin, Pocono Lake, Pa, USA http://weconsultants.phpnet.us
'If there is one, Knowledge is the "Fountain of Youth"'
-William E. Taylor, Regular Guy (1952-)
More information about the pmwiki-users
mailing list