|
Size: 111
Comment:
|
← Revision 18 as of 2009-12-25 07:15:52 ⇥
Size: 6201
Comment: converted to 1.6 markup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = 06-10-31.第3次袭来! = | #acl WoodpeckerAclDefine/WikiAdminGroup:read,write Known:read All:read '''啄木鸟维基再次受到攻击!''' <<TableOfContents>> = 06-10-31.Spamer第3次袭来! = |
| Line 3: | Line 8: |
| attachment:061031-spamer_768x336_scrot.png | * 20:31 注册后就开始乱改,22:10左右被发现,22:15 发布警报;22:30清除注册名;在[[andelf|andelf]]和QiangningHong 的协助下 22:43 完成所有污染页面的清除,但是部分附件被恶意删除不能恢复! * 倡议追踪此人,进行网络鄙视!!! == 细节 == * {{{ # Data saved '2006-10-31 20:31:25' for id '1162297883.76.32758' aliasname= css_url= date_fmt= datetime_fmt= disabled=0 edit_on_doubleclick=0 edit_rows=20 editor_default=text editor_ui=freechoice [email protected] enc_password={SHA}5HxYCc1Ml/whq8zt/Yc6TKjZNkk= language= last_saved=1162297885.33 mailto_author=0 name=suckmydick quicklinks= remember_last_visit=0 remember_me=1 show_fancy_diff=1 show_nonexist_qm=0 show_page_trail=1 show_toolbar=1 show_topbottom=0 subscribed_pages= theme_name=woodpecker tz_offset=0 want_trivial=0 wikiname_add_spaces=0 }}} === 日志分析 === '''寻找Spamer!''' {{attachment:061031-chk-spamer734x120_scrot.png}} * 寻找一个被我们修正次数少的页面: {{{/var/log/apache> tail -n 22500 httpd-access.log | grep PyZhOLPC | grep 31/Oct/2006 202.160.179.80 - - [31/Oct/2006:20:32:52 +0800] "GET /moin/PyZhOLPC HTTP/1.0" 200 20908 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html)" 61.149.131.141 - - [31/Oct/2006:21:23:18 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 21710 "http://wiki.woodpecker.org.cn/moin/%E9%A6%96%E9%A1%B5" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" .. 61.149.131.141 - - [31/Oct/2006:21:23:21 +0800] "GET /moin/PyZhOLPC?action=edit&editor=text HTTP/1.1" 200 11209 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" 61.149.131.141 - - [31/Oct/2006:21:23:25 +0800] "POST /moin/PyZhOLPC HTTP/1.1" 200 11434 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC?action=edit&editor=text" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" 61.149.131.141 - - [31/Oct/2006:21:23:38 +0800] "GET /moin/%E9%A6%96%E9%A1%B5 HTTP/1.1" 200 33459 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" 221.237.34.71 - - [31/Oct/2006:21:28:15 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 10609 "http://wiki.woodpecker.org.cn/moin/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 220.181.19.171 - - [31/Oct/2006:22:36:03 +0800] "GET /moin/PyZhOLPC?action=diff HTTP/1.1" 403 37 "-" "sogou spider" 220.181.19.171 - - [31/Oct/2006:22:36:24 +0800] "GET /moin/PyZhOLPC?action=info HTTP/1.1" 403 37 "-" "sogou spider" ... 210.87.138.6 - - [31/Oct/2006:22:55:48 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 11200 "http://wiki.woodpecker.org.cn/moin/RecentChanges" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" ... 210.87.138.6 - - [31/Oct/2006:22:55:56 +0800] "GET /moin/PyZhOLPC?action=info HTTP/1.1" 200 12684 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 210.87.138.6 - - [31/Oct/2006:22:56:00 +0800] "GET /moin/PyZhOLPC?action=revert&rev=2 HTTP/1.1" 200 21723 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC?action=info" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" ... 10.215.10.39 - - [31/Oct/2006:22:57:04 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 23308 "http://wiki.woodpecker.org.cn/moin/RecentChanges" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060803 Firefox/1.5.0.6 (Swiftfox)" ... }}} * 在Linux 中使用 Swiftfox 是俺! `PyZhOLPC?action=revert&rev=2` 的是好心`andelf` * ---> 所以`MSIE 7.0; Windows NT 5.1` 的家伙, 就是`suckmydick`!! 丫果然只会使用IE 还是废柴般的7.0!! ==== IP 追踪 ==== '''61.149.131.141''' * http://www.ip138.com 查询是:{{{ * 查询结果1:北京市 网通(通州区) * 查询结果2:北京市 网通ADSL }}} * {{{> traceroute 61.149.131.141 traceroute to 61.149.131.141 (61.149.131.141), 64 hops max, 44 byte packets 1 202.108.44.1 (202.108.44.1) 0.590 ms 0.526 ms 0.557 ms 2 61.135.148.177 (61.135.148.177) 0.672 ms 0.458 ms 0.440 ms 3 202.108.250.6 (202.108.250.6) 0.405 ms 0.492 ms 0.311 ms 4 202.108.46.5 (202.108.46.5) 0.528 ms 0.500 ms 0.444 ms 5 202.106.193.2 (202.106.193.2) 0.528 ms 0.586 ms 0.567 ms 6 202.106.36.10 (202.106.36.10) 1.655 ms 1.766 ms 1.569 ms 7 bt-204-010.bta.net.cn (202.106.204.10) 3.903 ms bt-204-014.bta.net.cn (202.106.204.14) 3.337 ms bt-204-010.bta.net.cn (202.106.204.10) 3.477 ms 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * }}} 看来 23:41 的时候丫下线了... === 牵涉 === * {{{下午清除newbie007 10月27日在UsenetTroll页面的恶意篡改有关。见 http://wiki.woodpecker.org.cn/moin/UsenetTroll?action=info newbie007将UsenetTroll页面的Chris Qie全部改成了ZoomQuiet,也请封禁此用户。 也许 suckmydick、newbie007和Chris Qie是一个人。 }}} ==== newbie007 ==== * 帐号细节如下... `@ms.com` 可能是 http://www.morganstanley.com/ 一英国公司, * 但是`biilgates`应该也是伪名! 清除之! {{{> grep newbie007 * 1161892362.76.20266:name=newbie007 > cat 1161892362.76.20266 # Data saved '2006-10-27 03:53:44' for id '1161892362.76.20266' aliasname=newbie2007 css_url= date_fmt= datetime_fmt= disabled=0 edit_on_doubleclick=0 edit_rows=20 editor_default=text editor_ui=freechoice [email protected] enc_password={SHA}3S7bh+qet6Mv1AVydtOh+rhhwdU= language= last_saved=1161892424.08 mailto_author=0 name=newbie007 quicklinks= remember_last_visit=0 remember_me=1 show_fancy_diff=1 show_nonexist_qm=0 show_page_trail=1 show_toolbar=1 show_topbottom=0 subscribed_pages= theme_name=woodpecker tz_offset=0 want_trivial=0 wikiname_add_spaces=0 }}} == 截屏 == {{attachment:061031-spamer_768x336_scrot.png}} {{attachment:061031-spam_844x656_scrot.png}} |
啄木鸟维基再次受到攻击!
06-10-31.Spamer第3次袭来!
注册为 suckmydick 的东西
20:31 注册后就开始乱改,22:10左右被发现,22:15 发布警报;22:30清除注册名;在andelf和QiangningHong 的协助下 22:43 完成所有污染页面的清除,但是部分附件被恶意删除不能恢复!
- 倡议追踪此人,进行网络鄙视!!!
细节
# Data saved '2006-10-31 20:31:25' for id '1162297883.76.32758' aliasname= css_url= date_fmt= datetime_fmt= disabled=0 edit_on_doubleclick=0 edit_rows=20 editor_default=text editor_ui=freechoice [email protected] enc_password={SHA}5HxYCc1Ml/whq8zt/Yc6TKjZNkk= language= last_saved=1162297885.33 mailto_author=0 name=suckmydick quicklinks= remember_last_visit=0 remember_me=1 show_fancy_diff=1 show_nonexist_qm=0 show_page_trail=1 show_toolbar=1 show_topbottom=0 subscribed_pages= theme_name=woodpecker tz_offset=0 want_trivial=0 wikiname_add_spaces=0
日志分析
寻找Spamer! 
- 寻找一个被我们修正次数少的页面:
{{{/var/log/apache> tail -n 22500 httpd-access.log | grep PyZhOLPC | grep 31/Oct/2006 202.160.179.80 - - [31/Oct/2006:20:32:52 +0800] "GET /moin/PyZhOLPC HTTP/1.0" 200 20908 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html)" 61.149.131.141 - - [31/Oct/2006:21:23:18 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 21710 "http://wiki.woodpecker.org.cn/moin/%E9%A6%96%E9%A1%B5" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" .. 61.149.131.141 - - [31/Oct/2006:21:23:21 +0800] "GET /moin/PyZhOLPC?action=edit&editor=text HTTP/1.1" 200 11209 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" 61.149.131.141 - - [31/Oct/2006:21:23:25 +0800] "POST /moin/PyZhOLPC HTTP/1.1" 200 11434 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC?action=edit&editor=text" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" 61.149.131.141 - - [31/Oct/2006:21:23:38 +0800] "GET /moin/%E9%A6%96%E9%A1%B5 HTTP/1.1" 200 33459 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)" 221.237.34.71 - - [31/Oct/2006:21:28:15 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 10609 "http://wiki.woodpecker.org.cn/moin/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 220.181.19.171 - - [31/Oct/2006:22:36:03 +0800] "GET /moin/PyZhOLPC?action=diff HTTP/1.1" 403 37 "-" "sogou spider" 220.181.19.171 - - [31/Oct/2006:22:36:24 +0800] "GET /moin/PyZhOLPC?action=info HTTP/1.1" 403 37 "-" "sogou spider" ... 210.87.138.6 - - [31/Oct/2006:22:55:48 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 11200 "http://wiki.woodpecker.org.cn/moin/RecentChanges" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" ... 210.87.138.6 - - [31/Oct/2006:22:55:56 +0800] "GET /moin/PyZhOLPC?action=info HTTP/1.1" 200 12684 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 210.87.138.6 - - [31/Oct/2006:22:56:00 +0800] "GET /moin/PyZhOLPC?action=revert&rev=2 HTTP/1.1" 200 21723 "http://wiki.woodpecker.org.cn/moin/PyZhOLPC?action=info" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" ... 10.215.10.39 - - [31/Oct/2006:22:57:04 +0800] "GET /moin/PyZhOLPC HTTP/1.1" 200 23308 "http://wiki.woodpecker.org.cn/moin/RecentChanges" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.6) Gecko/20060803 Firefox/1.5.0.6 (Swiftfox)" ... }}}
在Linux 中使用 Swiftfox 是俺! PyZhOLPC?action=revert&rev=2 的是好心andelf
---> 所以MSIE 7.0; Windows NT 5.1 的家伙, 就是suckmydick!! 丫果然只会使用IE 还是废柴般的7.0!!
IP 追踪
61.149.131.141
http://www.ip138.com 查询是:
* 查询结果1:北京市 网通(通州区) * 查询结果2:北京市 网通ADSL{{{> traceroute 61.149.131.141
traceroute to 61.149.131.141 (61.149.131.141), 64 hops max, 44 byte packets
- 1 202.108.44.1 (202.108.44.1) 0.590 ms 0.526 ms 0.557 ms 2 61.135.148.177 (61.135.148.177) 0.672 ms 0.458 ms 0.440 ms 3 202.108.250.6 (202.108.250.6) 0.405 ms 0.492 ms 0.311 ms 4 202.108.46.5 (202.108.46.5) 0.528 ms 0.500 ms 0.444 ms 5 202.106.193.2 (202.106.193.2) 0.528 ms 0.586 ms 0.567 ms 6 202.106.36.10 (202.106.36.10) 1.655 ms 1.766 ms 1.569 ms 7 bt-204-010.bta.net.cn (202.106.204.10) 3.903 ms bt-204-014.bta.net.cn (202.106.204.14) 3.337 ms bt-204-010.bta.net.cn (202.106.204.10) 3.477 ms 8 * * * 9 * * *
10 * * * 11 * * * 12 * * * 13 * * * }}} 看来 23:41 的时候丫下线了...
牵涉
{{{下午清除newbie007 10月27日在UsenetTroll页面的恶意篡改有关。见
http://wiki.woodpecker.org.cn/moin/UsenetTroll?action=info newbie007将UsenetTroll页面的Chris Qie全部改成了ZoomQuiet,也请封禁此用户。
也许 suckmydick、newbie007和Chris Qie是一个人。 }}}
newbie007
帐号细节如下... @ms.com 可能是 http://www.morganstanley.com/ 一英国公司,
但是biilgates应该也是伪名! 清除之!
{{{> grep newbie007 * 1161892362.76.20266:name=newbie007 > cat 1161892362.76.20266 # Data saved '2006-10-27 03:53:44' for id '1161892362.76.20266' aliasname=newbie2007 css_url= date_fmt= datetime_fmt= disabled=0 edit_on_doubleclick=0 edit_rows=20 editor_default=text editor_ui=freechoice email=[email protected] enc_password={SHA}3S7bh+qet6Mv1AVydtOh+rhhwdU= language= last_saved=1161892424.08 mailto_author=0 name=newbie007 quicklinks= remember_last_visit=0 remember_me=1 show_fancy_diff=1 show_nonexist_qm=0 show_page_trail=1 show_toolbar=1 show_topbottom=0 subscribed_pages= theme_name=woodpecker tz_offset=0 want_trivial=0 wikiname_add_spaces=0 }}}
截屏
