[Systems] Wiki spam attack.

[Chris Leonard]

On Wed, May 11, 2016 at 1:05 PM, Samuel Cantero <scanterog at gmail.com> wrote:
> Chris do you have the usernames? That could be of help.
>
> If I recall correctly, lately the only way to get a wiki user is requesting
> one.

My concern is that somehow these users seem to be getting around that.
It starts with a few probes then turns into a flood.

> Over time there has been a lot of GCI wiki users. Maybe some of them could
> have weak passwords. Just guessing.

Nope, newly created accounts

> I guess I can look into it also this Saturday.

I didn't include names because it is pretty easy to see them by just
looking at the block log (or recent activity, which I did link).

Here is the block log for 2016.

16:46, 11 May 2016 Cjl (Talk | contribs | block) blocked Hsharish600
(Talk | contribs) with an expiry time of indefinite (account creation
disabled, email disabled) (Spamming links to external sites) (unblock
| change block)
16:45, 11 May 2016 Cjl (Talk | contribs | block) blocked
Kevinsmith1104 (Talk | contribs) with an expiry time of indefinite
(account creation disabled, email disabled) (Spamming links to
external sites) (unblock | change block)
16:42, 11 May 2016 Cjl (Talk | contribs | block) blocked Mehvis john
(Talk | contribs) with an expiry time of indefinite (account creation
disabled, email disabled) (Spamming links to external sites) (unblock
| change block)
16:38, 11 May 2016 Cjl (Talk | contribs | block) blocked Kirti35 (Talk
| contribs) with an expiry time of indefinite (account creation
disabled, email disabled) (Spamming links to external sites) (unblock
| change block)
16:33, 11 May 2016 Cjl (Talk | contribs | block) blocked Ms5447229
(Talk | contribs) with an expiry time of indefinite (account creation
disabled, email disabled) (Spamming links to external sites) (unblock
| change block)
20:22, 25 March 2016 Patrol (Talk | contribs | block) blocked
Johnsmith2167u (Talk | contribs) with an expiry time of indefinite
(account creation disabled) (Spamming links to external sites)
(unblock | change block)
11:56, 25 March 2016 Patrol (Talk | contribs | block) blocked
KarolinePage (Talk | contribs) with an expiry time of indefinite
(account creation disabled) (Spamming links to external sites)
(unblock | change block)

In the log itself, there are a lot of useful hotlinks, which is why it
is best to go directly to it.

https://wiki.sugarlabs.org/index.php?title=Special%3ALog&type=block&user=&page=&year=&month=-1&tagfilter=&hide_patrol_log=1

Also you can switch between log types (including user creation log)
and checkuser.  Considering how well people can spoof their IP
addresses these days, I'm not sure if checkuser is all that helpful
anymore, but here are the results, FWIW.



Hsharish600
45.42.161.33 (block) (17:15, 10 May 2016 -- 17:45, 10 May 2016) [3] (Blocked)

Kevinsmith1104
45.121.190.209 (block) (17:10, 10 May 2016 -- 17:11, 10 May 2016) [3]
(~15 from all users) (Blocked)

Kirti35
45.121.190.209 (block) (17:00, 10 May 2016 -- 17:14, 10 May 2016) [9]
(~15 from all users) (Blocked)

Mehvis john
104.236.123.17 (block) (16:56, 10 May 2016 -- 17:07, 10 May 2016) [6] (Blocked)

Ms5447229
45.121.190.209 (block) (16:54, 10 May 2016 -- 17:00, 10 May 2016) [3]
(~15 from all users) (Blocked)
192.230.46.85 (block) (15:43, 10 May 2016 -- 15:56, 10 May 2016) [6]

The usernames have indefinite blocks, the IP addresses have 24 hour
auto-blocks which will expire.

cjl