[Systems] wiki account creation, Talk page spam

[Frederick Grose]

We suffered a wiki spam attack today between 11:21 and 19:22 EDT.
Almost 150 new accounts were opened, almost all placing spamming links in
the Talk page.
See http://wiki.sugarlabs.org/go/Special:RecentChanges for that time range.

At 18:03 I noticed the attack and blocked the most recent account.
Immediately #369 was (Autoblocked because your IP address has been recently
used by "Eridalad".)

See http://wiki.sugarlabs.org/go/Special:BlockList

After 5 similar cycles, at 18:35, I sent a note to
webmaster at sugarlabs.orgwith this message,

See http://wiki.sugarlabs.org/go/Special:RecentChanges

We are under attack, and single blocks are not impeding the attack.

Should we inhibit new accounts until we understand this?


- received an automatic response with this ID:  [rt.sugarlabs.org #36]

- then decided to disable wiki account creation with this in
LocalSettings.php

# 2010-07-13 18:41:59 -0400 fgrose

# Prevent new user registrations except by sysops

# 2010-07-13 19:21:21 -0400 fgrose: commented out for testing

# 2010-07-13 19:24:00 -0400 fgrose: reinhibit

$wgGroupPermissions['*']['createaccount'] = false;


- signed into irc://irc.freenode.net#sugar and pinged for bernie sascha
smparrish, with no response.

The blocklist and the test at 19:21 showed that the attack had not stopped.
(Notice the pattern of increasing odd number autoblocks.)

- updated  http://wiki.sugarlabs.org/go/MediaWiki:Loginprompt to suggest
that new users create accounts with an OpenID.

This has prevented the spam, but the server and database may still be under
attack.

          --Fred
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sugarlabs.org/private/systems/attachments/20100713/94890263/attachment.htm