# Spambot visited my mediawiki [SOLVED]

## gouranga

I have installed  www-apps/mediawiki-1.4.12.

Recently it came to my attention that a script spammed the help and event page of my wiki.

Can someone explain to me what the script/spammer was after?

I found this in the source of the help page

The page was blank, but in the source there were lots of url.

Can I protect my wiki against this? and how?

*EDIT*

I removed the code posted here , so it doesn't increase google rankings of the listed sites

View image at:

http://gouranga.dyndns.org/tmp/wiki_got_spammed.PNGLast edited by gouranga on Sun Dec 18, 2005 1:11 am; edited 3 times in total

----------

## nixnut

Moved from Other Things Gentoo to Networking & Security.

Most wikis have a feature that disables posting/editing for non-registered users. Read the documentation to find out more.

----------

## hanj

You should check the logs to see if you're getting hit by a pineappleproxy. This is a common SPAM bot. I was getting hit with this and added this to my vhost. If you have snort, I think it'll trigger on this rule. Not sure if you need the bleeding-rules though.

Here is a snip from vhost conf. I log it.. and then block it.

```
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" spamformat

CustomLog /var/log/apache2/spam_log spamformat env=spammer

SetEnvIfNoCase X-AAAAAAAAAAAA 1 spammer=yes

<Limit GET POST>

   Order Allow,Deny

   Allow from all

   Deny from env=spammer

</Limit>
```

HTH

hanji

----------

## wjb

How about someone removing the spam urls from the first post? They're getting links from this forum page now, which must be a bonus for them.

----------

## marinheiro

Nobody answered the orginal question, which was 'why do they do this', the answer being 'to increase google rankings of the listed sites'.

From my experience, once you get on the spammers lists you'll start getting more and more of this so you need to do something to prevent it, not just keep rewinding the pages. Try bad_behavior:  

http://www.ioerror.us/software/bad-behavior/

It has a media-wiki version which is very easy to install, and so far has worked fine for me. I suspect this is going to be a bit of an arms-race, like with mail spam detection, though    :Sad: 

Good luck

Graham

----------

## gouranga

Thx for the replies.

I just installed bad-behavior. 

I was looking for something like that.

Thx !!!

----------

## marinheiro

bad-behavior kept out the spammers for just one week on my site. I've now progressed to hand-setting regexes as described on

http://meta.wikimedia.org/wiki/Anti-spam_Features

Let's see how long that works...

Graham

----------

## gouranga

Today I installed and configured mod_security.

I assume that people that are following these steps have Apache installed and fully configured.

Make sure that apache works before proceeding.

```
emerge mod_security
```

You can start with the default config.

Its locate here :

```
/etc/apache2/modules.d/99_mod_security.conf
```

You will have to analyse /var/log/apache2/audit_log when you get an unexpected Internal server error  in some of your applications, forums,...

I think I finally solved the content-spam problem containing the words viagra ,.. 

```
  

   #Turn mod_sec off in a specific dir, In my httpd.conf there is a rule that

   # this folder is only accessible from the LAN

   <Location /dir1>

        SecFilterEngine Off

   </Location>

   

   #allow your scripts

   SecFilterSelective THE_REQUEST "/tr\.php" log,pass

   SecFilterSelective THE_REQUEST "/ml\.php" log,pass

  # WEB-ATTACKS wget command attempt , lupper worm

   SecFilter "wget\x20"

   SecFilter "xmlrpc.php"

  #viagra spam

 # Deny all posts and gets containting a word from the list

  SecFilter "(viagra|mortgage|herbal|buy)"

# Deny all posts and gets with  an url containing a word in the list

  SecFilterSelective "HTTP_REFERER" "(viagra|mortgage|texasholdem)"

```

Analyze the log and have fun!

Its a bit time consuming at first, but when it's up and running you are released of the content spam, script kiddies hammering your server every day,...

Also read these urls:

Introducing mod_security - http://www.onlamp.com/pub/a/apache/2003/11/26/mod_security.html

An introduction to mod_security - http://atomicplayboy.net/blog/2005/01/30/an-introduction-to-mod-security/

http://www.modsecurity.org/documentation/

(read also the external articles)

----------

