[pmwiki-users] New spammer tactic (fwd)

IchBin weconsul at ptd.net
Sun Sep 17 18:18:17 CDT 2006


christian.ridderstrom at gmail.com wrote:
> On Sun, 17 Sep 2006, Patrick R. Michaud wrote:
> 
>> On Sun, Sep 17, 2006 at 10:20:52PM +0200, christian.ridderstrom at gmail.com wrote:
>>> The spammer has created upload directories and placed .html-files there...
>> On pmwiki.org...?  Okay, I've turned off uploading of .htm/.html there,
>> and removed any existing .htm/.html files.
> 
> No, not on pmwiki.org, this was wiki.lyx.org.
> 
> I think it is the same spammer that first spent quite an effort to insert 
> spam within >>white<<...>><<. Then he started fiddling with attributes of 
> various pages, typically LyX/LyX, BibTeX/BibTeX and Playground/Plaground 
> etc. He'd often set the upload password.
> 
> Then I noticed that he had uploaded files to uploads/Playground/... these 
> files where spam for medications. In addition, he had even created a cron 
> job that uploaded them repeatedly...
> 
> Note that he actually went to the effort of finding the upload password 
> (which was documented on Site.AboutUplaods). Also note that the site isn't 
> using the standard mechanism for uploading, but another file manager.
> 
> Anyway, once I changed the upload password the uploading was stopped.
> 
> Oh... the later files that were uploaded didn't have an extension at all.
> 
> So this guy was very persistent and went through quite a bit of work... 
> and he knows a bit about PmWiki, perhaps even following this list. Of 
> course, judging from his fiddling with attributes he must be quite a bit 
> of an amateur. I would have done things quite differently.
> 
> Here are two IP's I think he has used: 85.202.118.56 and 85.249.85.48
> although they probably don't mean much.
> 
> /Christian
> 
> PS. The guy was still at it just a few minutes ago, trying with 
> 'Attach:...'. Of course, since I've disabled PmWiki's normal uploading 
> mechanism that won't work.
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users

I tracked down the ISP's for those two IP addresses. They are both in 
Europe (Russia & Ukraine). The Ukraine ISP has an abuse address 
(abuse at volia.net). The Russian ISP does not have one.


Here is ISP Information for: *85.249.85.48* (Russia)

inetnum:         85.249.80.0 - 85.249.95.255
netname:         INFOCENTER
descr:           JSC "INFOCENTER" Network
country:         RU
admin-c:         AVT27-RIPE
tech-c:          AID17-RIPE
status:          ASSIGNED PA "status:" definitions
mnt-by:          ELTEL-RIPE-MNT
source:          RIPE # Filtered

person:          Andrey V Tsepilov
address:         OOO &#8220;InfoCenter&#8221;
address:         Gorohovaja, 20
address:         Vladimir
address:         Russia
remarks:         phone:          +7 0922 410444
phone:           +7 4922 410444
remarks:         fax-no:         +7 0922 410444
fax-no:          +7 4922 410444
e-mail:          tsepilov at vladinfo.ru
nic-hdl:         AVT27-RIPE
mnt-by:          ELTEL-RIPE-MNT
source:          RIPE # Filtered
remarks:         modified for Russian phone area changes

person:          Alexey I Dementiev
address:         OOO &#8220;InfoCenter&#8221;
address:         Gorohovaja, 20
address:         Vladimir
address:         Russia
remarks:         phone:          +7 0922 410444
phone:           +7 4922 410444
remarks:         fax-no:         +7 0922 410444
fax-no:          +7 4922 410444
e-mail:          tsepilov at vladinfo.ru
nic-hdl:         AID17-RIPE
mnt-by:          ELTEL-RIPE-MNT
source:          RIPE # Filtered
remarks:         modified for Russian phone area changes



Here is ISP Information for: *85.202.118.56* (Ukraine)

inetnum:         85.202.96.0 - 85.202.127.255
netname:         VOLIA
descr:           Volia ISP Dynamic IP Pool #3
country:         UA
admin-c:         VNCC-RIPE
tech-c:          VNCC-RIPE
status:          ASSIGNED PA "status:" definitions
remarks:         ------------------------------------------
remarks:         This pool used for Volia Broadband service
remarks:
remarks:         To postmasters:  You MAY discard SMTP con-
remarks:         nections from this subnet - customers MTAs
remarks:         can't appear here due our SLA.
remarks:         ------------------------------------------
mnt-by:          VOLIA-MNT
source:          RIPE # Filtered

role:            Volia ISP Network Coordination Center
address:         Volia ISP
address:         ap 37, 17V I.Franko st, Kiev
address:         Ukraine (UA) 01030
phone:           +380 44 2356568
fax-no:          +380 44 2356568
admin-c:         VEG1-RIPE
admin-c:         DK109-RIPE
tech-c:          DK109-RIPE
tech-c:          CZ602-RIPE
tech-c:          VAG25-RIPE
tech-c:          AV2437-RIPE
tech-c:          SA1215-RIPE
nic-hdl:         VNCC-RIPE
abuse-mailbox:   abuse at volia.net
remarks:         - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - -
remarks:
remarks:         Volia, Volia Cable, Volia ISP contacts:
remarks:
remarks:         International dialing code..: +380-44 (Kiev, Ukraine)
remarks:         Time Zone...................: Eastern European Time Zone
remarks:
remarks:         Press
remarks:         -----
remarks:         PR department...............: 207-7092 
9:00-18:00
remarks:         PR department...............: info at voliacable.com
remarks:         Corporate web site..........: http://www.volia.com/
remarks:
remarks:
remarks:         New subscription
remarks:         ----------------
remarks:         Home users..................: sales at voliacable.com
remarks:         Home users..................: 541-9040, 541-9041 
8:00-21:00
remarks:         Home users..................: 502-2250 
8:00-21:00
remarks:         Corporate customers.........: 207-7090 
9:00-18:00
remarks:         Dealers.....................: 590-2614 
9:00-18:00
remarks:
remarks:
remarks:         Existent customers
remarks:         ------------------
remarks:         Broadband helpdesk..........: 541-9010, 502-4028 
0:00-24:00
remarks:         Digital TV helpdesk.........: 541-9020 
0:00-24:00
remarks:         Analogue TV helpdesk........: 541-9000 
0:00-24:00
remarks:         Billing and administrative..: abonents at voliacable.com
remarks:         Technical issues............: support at voliacable.com
remarks:
remarks:
remarks:         Other contacts
remarks:         --------------
remarks:         Routing and MAN ops.........: 235-6568 
0:00-24:00
remarks:         Routing and MAN ops.........: noc at volia.net
remarks:         Local Internet Registry.....: lir at volia.net
remarks:         Spam,attacks,virus reports..: abuse at volia.net
remarks:         Peering requests............: peering at volia.net
remarks:         E-Mail related problems.....: postmaster at volia.net
remarks:         DNS and domains questions...: hostmaster at volia.net
remarks:         Usenet, newsfeeds...........: newsmaster at volia.net
remarks:
remarks:         - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
- - -
mnt-by:          VOLIA-MNT
source:          RIPE # Filtered

% Information related to '85.202.0.0/16AS25229'

route:           85.202.0.0/16
descr:           Volia ISP Primary Route
origin:          AS25229
mnt-by:          VOLIA-MNT
source:          RIPE # Filtered

-- 
Thanks in Advance...
IchBin, Pocono Lake, Pa, USA              http://weconsultants.phpnet.us
'If there is one, Knowledge is the "Fountain of Youth"'
-William E. Taylor,  Regular Guy (1952-)





More information about the pmwiki-users mailing list