06-10-31.Spamer第3次袭来!

• 注册为 suckmydick 的东西

  • 20:31 注册后就开始乱改,22:10左右被发现,22:15 发布警报;22:30清除注册名;在[wiki:andelf andelf]和QiangningHong 的协助下 22:43 完成所有污染页面的清除,但是部分附件被恶意删除不能恢复!

    • 倡议追踪此人,进行网络鄙视!!!

日志分析

• 根据 Apache 的日志记录:{{{219.142.250.46 - - [31/Oct/2006:23:04:26 +0800] "GET /moin/UsenetTroll?action=info HTTP/1.1" 200 21694 "http://wiki.woodpecker.org.cn/moin/UsenetTroll" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20061008 Firefox/1.5.0.7"

219.142.250.46 - - [31/Oct/2006:23:04:30 +0800] "GET /moin/UsenetTroll?action=AttachFile&do=del&target=b_9F9D4FFB7F3B520D.jpg HTTP/1.1" 200 11240 "http://wiki.woodpecker.org.cn/moin/UsenetTroll?action=info" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20061008 Firefox/1.5.0.7" 219.142.250.46 - - [31/Oct/2006:23:04:37 +0800] "GET /moin/FindPage HTTP/1.1" 200 19071 "http://wiki.woodpecker.org.cn/moin/UsenetTroll?action=AttachFile&do=del&target=b_9F9D4FFB7F3B520D.jpg" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20061008 Firefox/1.5.0.7" 219.142.250.46 - - [31/Oct/2006:23:08:05 +0800] "GET /moin/UsenetTroll HTTP/1.1" 200 18568 "http://wiki.woodpecker.org.cn/moin/RecentChanges" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20061008 Firefox/1.5.0.7" 219.142.250.46 - - [31/Oct/2006:23:08:08 +0800] "GET /moin/UsenetTroll?action=info HTTP/1.1" 200 21983 "http://wiki.woodpecker.org.cn/moin/UsenetTroll" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20061008 Firefox/1.5.0.7" 219.142.250.46 - - [31/Oct/2006:23:09:44 +0800] "GET /moin/UsenetTroll?action=diff&rev2=12&rev1=10 HTTP/1.1" 200 27499 "http://wiki.woodpecker.org.cn/moin/UsenetTroll?action=info" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.0.7) Gecko/20061008 Firefox/1.5.0.7" }}}

• 居然是使用 FireFox 的东西!!! 访问IP 是 219.142.250.46

IP 追查

{{{> traceroute 219.142.250.46 traceroute to 219.142.250.46 (219.142.250.46), 64 hops max, 44 byte packets

• 1 202.108.44.1 (202.108.44.1) 0.615 ms 0.566 ms 0.566 ms 2 61.135.148.177 (61.135.148.177) 0.528 ms 0.736 ms 0.439 ms 3 202.108.250.6 (202.108.250.6) 0.404 ms 0.594 ms 0.313 ms 4 202.108.46.5 (202.108.46.5) 0.530 ms 0.594 ms 0.567 ms 5 202.106.192.158 (202.106.192.158) 0.653 ms 0.729 ms 0.456 ms 6 202.96.13.170 (202.96.13.170) 1.390 ms 0.843 ms 0.692 ms 7 61.51.26.162 (61.51.26.162) 1.153 ms 2.090 ms 2.515 ms 8 203.135.160.6 (203.135.160.6) 3.095 ms 4.581 ms 4.314 ms 9 219.143.124.5 (219.143.124.5) 4.149 ms 3.727 ms 3.317 ms

10 bj141-130-98.bjtelecom.net (219.141.130.98) 3.528 ms 2.803 ms 2.677 ms 11 bj141-130-142.bjtelecom.net (219.141.130.142) 5.151 ms 4.655 ms 3.948 ms 12 219.142.250.46 (219.142.250.46) 5.334 ms 6.828 ms 5.566 ms 13 219.142.250.46 (219.142.250.46) 5.040 ms 10.212 ms 8.261 ms }}}

• http://www.ip138.com/ 查询得知是 北京市 电信 用户!

细节

• # Data saved '2006-10-31 20:31:25' for id '1162297883.76.32758'
  aliasname=
  css_url=
  date_fmt=
  datetime_fmt=
  disabled=0
  edit_on_doubleclick=0
  edit_rows=20
  editor_default=text
  editor_ui=freechoice
  [email protected]
  enc_password={SHA}5HxYCc1Ml/whq8zt/Yc6TKjZNkk=
  language=
  last_saved=1162297885.33
  mailto_author=0
  name=suckmydick
  quicklinks=
  remember_last_visit=0
  remember_me=1
  show_fancy_diff=1
  show_nonexist_qm=0
  show_page_trail=1
  show_toolbar=1
  show_topbottom=0
  subscribed_pages=
  theme_name=woodpecker
  tz_offset=0
  want_trivial=0
  wikiname_add_spaces=0

• attachment:061031-spamer_768x336_scrot.png

attachment:061031-spam_844x656_scrot.png