ZOMBIE FORUMS

It's a stinking, shambling corpse grotesquely parodying life.
It is currently Thu Mar 28, 2024 2:01 pm

All times are UTC - 8 hours [ DST ]




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: ANNOUNCEMENT: Wiki problems
PostPosted: Sun Jun 10, 2007 1:01 pm 
Offline
Local

Joined: Wed Nov 16, 2005 10:01 pm
Posts: 188
Location: A strange, high place
We interrupt your regular repartee and speculation for this important message ...

Today the wiki was the target of a nasty and persistent attack by spambots that several people have spent a lot of time parrying. Defenses are being worked on, but for the moment, nearly all content pages, and most talk pages as well, have been blocked from editing by most would-be contributors. We don't know how long this outage will last, but it's probably days rather than hours or weeks. Everybody should still be able to read articles just fine (if you can't, please leave Slamlander or me a private message ASAP), it's just the editing that has been blocked.

You can do a few things to help until we get this under control. First, we think we nuked all the spam (the usual stuff with sites for bogus medications, etc.), but it's hard to be sure. If you see anything weird in an article or talk page, please leave us a private message identifying the page and the problem. Second, please continue to edit the "That Typos Thread" page, as keeping that one up to date helps Poe and Impy, not just wiki readers; it has been left available for editing, although this may have to be reconsidered if it becomes a home base for the spammers. Finally, just be patient until we get this fixed. If there's something that needs to be fixed in an article that just can't wait, the private-message route will work, and I'll either make the change myself or pop the access back open long enough for you to do so.

Thanks for your patience, and particularly thanks to Slamlander for his help in dealing with the attack. We'll beat these scumbags.

-- Graybeard, Abbot of the Heretical Monks and wiki bureaucrat.

_________________
"If you sit down at a poker game and can't see the sucker, get up. You're the sucker."


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jun 10, 2007 10:43 pm 
Offline
Addict
User avatar

Joined: Fri Nov 08, 2002 5:00 pm
Posts: 4439
Location: You can't take the sky from me. Since I found Serenity.
It's probably a botnet doing it, but have you compiled a list of IPs?

_________________
Build a man a fire, warm him for a day,
Set a man on fire, warm him for the rest of his life.


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 11, 2007 3:17 am 
Offline
Addict
User avatar

Joined: Wed Jun 08, 2005 8:40 am
Posts: 1090
Location: Nyon, CH, near Geneve, on the shores of the Lac Leman. The heart of Suisse Romande.
OmnipotentEntity wrote:
It's probably a botnet doing it, but have you compiled a list of IPs?


Why? It is a useless excersize. The modern Internet is full of swamps of dynamic IP addresses where one host never has the same address twice. I know for I am in one of those swamps. This is what makes bot-nets so difficult to deal with. They are subverted hosts inside ISP dynamic IP swamps. They only way to block, by IP address is to block the router advertisements of the entire ISP's block. Considering that this could include entire countries, like bluewin.ch, this is unaccaptable collateral damage. Those who compile useless lists of IPs, do not understand the Internet and are operating under false assumptions of static spaces.

We are protecting pages and banning known bad user IDs. That should at least slow the bot-net down, for a bit.

There are other measures that can be taken, from root. But at the cost of risking the store. I will not contenance that. For now, we have identified our most effective measures and are pursuing them.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 11, 2007 6:01 am 
Offline
Local

Joined: Wed Nov 16, 2005 10:01 pm
Posts: 188
Location: A strange, high place
Actually, we're still trying to figure out exactly what goes on with this particular attack, but Slamlander is right: a list of IP addresses isn't going to solve this one, the attack is more sophisticated than that. It might be useful to have for purposes of some intelligence gathering and comparison to webspam attacks on other wikis, but even that is not clear. He's also correct that it must be solved in a way that has absolutely zero impact on the store and the rest of the site. That's the hard part.

Patience. This WILL get worked out.

_________________
"If you sit down at a poker game and can't see the sucker, get up. You're the sucker."


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jun 11, 2007 6:55 am 
Offline
Expatriate

Joined: Sun Sep 25, 2005 2:17 pm
Posts: 116
I've got a basically limitless amount of free time this week, so I'll keep an eye out and reverse any changes made to unprotected pages by the spambots.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jun 12, 2007 4:21 pm 
Offline
Addict
User avatar

Joined: Fri Nov 08, 2002 5:00 pm
Posts: 4439
Location: You can't take the sky from me. Since I found Serenity.
Slamlander wrote:
OmnipotentEntity wrote:
It's probably a botnet doing it, but have you compiled a list of IPs?


Why? It is a useless excersize. The modern Internet is full of swamps of dynamic IP addresses where one host never has the same address twice. I know for I am in one of those swamps. This is what makes bot-nets so difficult to deal with. They are subverted hosts inside ISP dynamic IP swamps. They only way to block, by IP address is to block the router advertisements of the entire ISP's block. Considering that this could include entire countries, like bluewin.ch, this is unaccaptable collateral damage. Those who compile useless lists of IPs, do not understand the Internet and are operating under false assumptions of static spaces.

We are protecting pages and banning known bad user IDs. That should at least slow the bot-net down, for a bit.

There are other measures that can be taken, from root. But at the cost of risking the store. I will not contenance that. For now, we have identified our most effective measures and are pursuing them.


Way to jump to conclusions. I said nothing about banning.

_________________
Build a man a fire, warm him for a day,
Set a man on fire, warm him for the rest of his life.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jun 12, 2007 10:11 pm 
Offline
Addict
User avatar

Joined: Wed Jun 08, 2005 8:40 am
Posts: 1090
Location: Nyon, CH, near Geneve, on the shores of the Lac Leman. The heart of Suisse Romande.
OmnipotentEntity wrote:
Slamlander wrote:
OmnipotentEntity wrote:
It's probably a botnet doing it, but have you compiled a list of IPs?


Why? It is a useless excersize. The modern Internet is full of swamps of dynamic IP addresses where one host never has the same address twice. I know for I am in one of those swamps. This is what makes bot-nets so difficult to deal with. They are subverted hosts inside ISP dynamic IP swamps. They only way to block, by IP address is to block the router advertisements of the entire ISP's block. Considering that this could include entire countries, like bluewin.ch, this is unaccaptable collateral damage. Those who compile useless lists of IPs, do not understand the Internet and are operating under false assumptions of static spaces.

We are protecting pages and banning known bad user IDs. That should at least slow the bot-net down, for a bit.

There are other measures that can be taken, from root. But at the cost of risking the store. I will not contenance that. For now, we have identified our most effective measures and are pursuing them.


Way to jump to conclusions. I said nothing about banning.


Sorry to imply that you did. I simply swung into the new topic of what actions we are taking. In the end, protecting the pages was the most effective but now only Brothers of the Order can edit pages. This is also long-term untennable. The banning had only limited effect as new user IDs were being created at a steady rate. Protecting the pages stops the vandalism, for now, until we get some better new user creation policies in place.

For now, one thing is absolutely clear, we can no longer have unrestricted account creation in the wiki. The old version that we are stuck with doesn't have adequate protection from script-kiddies. Therefore, we cannot allow fully automated user registration. Upgrading the Wiki software requires upgrading to PHP5 and MySQL5 and that will impact the store. We will not risk impacting a production retail system. So, we have to find another way.

I am also looking into what SQL script we have to run to delete the bogus accounts that the script-kiddies have already created. Basically, some assholes out there have shit all over our Wiki and we need to;
1) Clean up the mess
2) Prevent it from happening again.
3) Get us safely back on line.

Again, we are under Sysop-only edit rules until we get some of this sorted.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 12:30 am 
Offline
Addict
User avatar

Joined: Fri Nov 08, 2002 5:00 pm
Posts: 4439
Location: You can't take the sky from me. Since I found Serenity.
Slamlander wrote:
until we get some better new user creation policies in place.


Take the captcha and use it for the wiki.

_________________
Build a man a fire, warm him for a day,
Set a man on fire, warm him for the rest of his life.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 12:46 am 
Offline
Addict
User avatar

Joined: Wed Jun 08, 2005 8:40 am
Posts: 1090
Location: Nyon, CH, near Geneve, on the shores of the Lac Leman. The heart of Suisse Romande.
OmnipotentEntity wrote:
Slamlander wrote:
until we get some better new user creation policies in place.


Take the captcha and use it for the wiki.


Okay, I'll dl it and test it. My problem is that I only have PHP5 systems here and ErrantStory is on PHP4.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 9:03 am 
Offline
Tourist
User avatar

Joined: Sat Sep 02, 2006 12:59 pm
Posts: 41
What about requiring manual admin-activation of all new accounts, prompted by a friendly "I signed up for the Wiki" post in the forums? Newly created accounts wouldn't be capable of editing pages until an admin marked them as "real".

I haven't seen our member-list on our wiki, but I'm guessing its small enough that the manual labor required to approve authorized accounts wouldn't really be that problematic. Then a spambot could feel free to create 159 different accounts if it wanted, but none of them would have permissions to actually edit anything, so it wouldn't really matter.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 11:06 am 
Offline
Addict
User avatar

Joined: Fri Nov 08, 2002 5:00 pm
Posts: 4439
Location: You can't take the sky from me. Since I found Serenity.
Slamlander wrote:
OmnipotentEntity wrote:
Slamlander wrote:
until we get some better new user creation policies in place.


Take the captcha and use it for the wiki.


Okay, I'll dl it and test it. My problem is that I only have PHP5 systems here and ErrantStory is on PHP4.


Here's the code that actually creates the image. Be sure to note the fonts, (search for ttf), you'll have to change them to paths that actually exist. And you'll also have to find out how to get the chars from wikisource and just remove the three lines it tells you to and then poke it into $code.

Code:
$im = ImageCreateTrueColor(500,140); // 150 on edges, 200 on middle

$chars = "ABCEFGHJKLMNPRTWXY3478";

/* Remove these three lines to use it in usercp_confirm.php: */
$code = '';
$n=0;$l = strlen($chars);
for($n=0; $n<6; ++$n) $code .= $chars[mt_rand(0,$l-1)];

$l = strlen($code);
for($n=0; $n<$l; ++$n)
  if(mt_rand(0,2)==0)
    $code[$n] = strtr($code[$n], 'KEMFAP', 'kemfap');

ImageFilledRectangle($im, 150,0, 350,140, 0x101010);

$l = strlen($chars);

for($n=0; $n<80; ++$n) add_random_char(20,60, 4,9,   0,150);
ImageCopy($im,$im, 350,0, 0,0, 150,140);

for($n=0; $n<30; ++$n) add_random_char(20,60, 26,30, 150,340);
for($n=0; $n<80; ++$n) add_random_char(20,75, 11,23, 110,380);
for($n=0; $n<50; ++$n) add_random_char(200,256, 4,9, 150,340);

function add_random_char($min_yuv, $max_yuv, $min_size, $max_size, $minx,$maxx)
{
  global $im, $l, $chars;
  for(;;)
  {
    $rgb = mt_rand(0,0xFFFFFF);
    $r = $rgb>>16;
    $g = ($rgb&0xFF00)>>8;
    $b = ($rgb&0xFF);

    $yuv_y = 0.299*$r + 0.587*$g + 0.114*$b;
    if($yuv_y >= $min_yuv && $yuv_y <= $max_yuv) break;
  }

  $c = ImageColorAllocate($im, $r,$g,$b);
  $ch = $chars[mt_rand(0,$l-1)];
 
  $x = mt_rand($minx,$maxx);
  $y = mt_rand(10,140);
  ImageTTFText($im, mt_rand($min_size, $max_size),mt_rand(-40,40), $x,$y, $c, '/path/to/font1.ttf', $ch);
}



$x=0;
$l=strlen($code);
for($n=0; $n<$l; ++$n)
{
  for(;;)
  {
    $rgb = mt_rand(0,0xFFFFFF);
    $r = $rgb>>16;
    $g = ($rgb&0xFF00)>>8;
    $b = ($rgb&0xFF);
    $yuv_y = 0.299*$r + 0.587*$g + 0.114*$b;
    if($yuv_y > 180) break;
  }
 
  $c = ImageColorAllocate($im, $r,$g,$b);
 
  $y = 140 - mt_rand(10,100);
  if($n == 0) $y = max($y, 80);
 
  $fnt = '/path/to/font2.ttf';
 
  $slant = mt_rand(-30,30);
 
  $bound =
  ImageTTFText($im,
    mt_rand(25,40),
    $slant,
    150+$x,
    $y,
    $c, $fnt, $code[$n]);

  $wid = $bound[2] - $bound[0] + 2 + abs($slant)/5;

  $x += $wid;
}

ImageTrueColorToPalette($im, false, 256); // to save in transmission length

header('Content-type: image/png');
header('Cache-Control: no-cache, no-store');

ob_start();
ImagePng($im);
$image = ob_get_contents();
ob_end_flush();

_________________
Build a man a fire, warm him for a day,
Set a man on fire, warm him for the rest of his life.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 12:00 pm 
Offline
Addict
User avatar

Joined: Wed Jun 08, 2005 8:40 am
Posts: 1090
Location: Nyon, CH, near Geneve, on the shores of the Lac Leman. The heart of Suisse Romande.
Okay, I''l hack at this a bit ... after we know that the current measures are working. This'll be part of the "opening things back up" phase.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 3:25 pm 
Offline
Addict
User avatar

Joined: Tue Aug 12, 2003 11:25 am
Posts: 2561
Location: Seoul, South Korea
Our admin guys at Intellitree have kindly instituted a temporary fix preventing new users from adding themselves, and disabling anonymous posting.

We will work on better solution as time permits.

^-^'

_________________
I <3 Parker


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 7:00 pm 
Offline
Expatriate

Joined: Sun Sep 25, 2005 2:17 pm
Posts: 116
Hooray! I was about to suggest that same thing for until A) a new system was implemented or B) the spambot attack subsided so we could open it back up for regular users while we still figured out a way to stop this from happening again.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 7:22 pm 
Offline
Local

Joined: Wed Nov 16, 2005 10:01 pm
Posts: 188
Location: A strange, high place
Tiamat wrote:
Hooray! I was about to suggest that same thing for until A) a new system was implemented or B) the spambot attack subsided so we could open it back up for regular users while we still figured out a way to stop this from happening again.


There are still a few bits of spam appearing from time to time, but the attack appears to be subsiding. However, I think it is still slightly premature to unprotect the content pages. The problem is that there appear to be at least 500(!) bogus usernames associated with this particular spambot -- which is not to mention another 200 or so from earlier, less organized attacks. Some of them are known to have a "latency" period, where they get created, then don't start spamming for some time. I've been tracking some of the culprits, and the latency can be at least a day, so we're not clear of them yet.

Recommend we give this another three or four days to settle down, then if all is peaceful, the Heretical Monks can start unprotecting things and see if we're in the clear. Thanks to you (Tiamat) and all the rest of you folks who've helped fight this.

_________________
"If you sit down at a poker game and can't see the sucker, get up. You're the sucker."


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 10:17 pm 
Offline
Addict
User avatar

Joined: Wed Jun 08, 2005 8:40 am
Posts: 1090
Location: Nyon, CH, near Geneve, on the shores of the Lac Leman. The heart of Suisse Romande.
Actually, another 7-14 days sounds more appropriate. In that time, we can explore and discuss other measures for when we open things back up.

1 Right now, I am researching an SQL command that will remove all the spambot IDs. That should help.

2 Omni's capcha code is another possibility. While it won't stop manual account creation, it does stop script-kiddies. However, it needs to be tested on Mediawiki, which I will do today.

The real issues can't be addressed, however, until we are running current versions of both PHPBB and Mediawiki. There is way to link the two together at the user account level. This will force wiki users to use their Forum ID on the wiki and thus give us much more tracking and accounting ability. Basically, it works by using the user's Forum credentials for the wiki and not creating seperate wiki accounts at all.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 10:57 pm 
Offline
PostWhorePornStar
User avatar

Joined: Sun Dec 09, 2001 5:00 pm
Posts: 5769
Location: Boston, Massachusetts
They've got into Victoria, too.

I think the Internet would be much less frustrating if nobody else could see or change anything on it.

_________________
iothera: a science fantasy


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jun 13, 2007 11:12 pm 
Offline
Addict
User avatar

Joined: Wed Jun 08, 2005 8:40 am
Posts: 1090
Location: Nyon, CH, near Geneve, on the shores of the Lac Leman. The heart of Suisse Romande.
RMG wrote:
They've got into Victoria, too.

I think the Internet would be much less frustrating if nobody else could see or change anything on it.


???Victoria??? :confused:

The frustration ends when the last spammer/script-kiddie is killed!

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jun 14, 2007 12:11 am 
Offline
Local
User avatar

Joined: Wed Mar 14, 2007 3:47 am
Posts: 270
Location: 3rd rock from the Sun
Slamlander wrote:
RMG wrote:
They've got into Victoria, too.

I think the Internet would be much less frustrating if nobody else could see or change anything on it.


???Victoria??? :confused:



You know, The Midlands Wiki.

_________________
Polly: I'm not going to die, am I? I mean right now?
DEATH: NO. BUT YOU WERE TOLD YOU WOULD WALK WITH DEATH EVERY DAY.
Polly: Oh...Yes, Corporal Scallot said that.
DEATH: HE IS AN OLD FRIEND. YOU MIGHT SAY HE IS ON THE INSTALMENT PLAN.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jun 14, 2007 6:23 am 
Offline
Local

Joined: Wed Nov 16, 2005 10:01 pm
Posts: 188
Location: A strange, high place
Slamlander wrote:
Actually, another 7-14 days sounds more appropriate. In that time, we can explore and discuss other measures for when we open things back up.


I was going to debate this, but in view of the death in Impy's family :-( , I'm with you -- let's not rush the repairs, they can wait until she's back and comfortable. (Once again, Impy, e-hugs.) SL, are you in contact with the folks that are doing the software fix?

Two spams in the last 12 hours, which is definitely a slower pace, and both pages are now protected...

_________________
"If you sit down at a poker game and can't see the sucker, get up. You're the sucker."


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 22 posts ]  Go to page 1, 2  Next

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 33 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group