One trojan coming up
Someone at 195.24.194.5 created a new page on my wiki. I decided to check that IP number out. It’s got a long and distinguished career at wiki spam, and it’s an open proxy. I believe wiki spammers are creating new orphan pages to spam. That would make more sense than defacing pages that already holds content, right? And it might quietly flit by a busy admin without him or her noticing.
Anyway, I looked for wikispam, and one of the users of said proxy had a very interesting page. At scarletton.teenposes.com/bankers-long-term-care-insurance.html I found an iframe that went to 195.225.177.33. It then 302 redirected to 195.225.177.33/vx/ where I found a trojan waiting to be downloaded.
I don’t have a clue what it does (not coming near my system!), but the name of the file is win32.exe.
The host is netcathost in Ukraine. Ukraine is the home of a LOT of spam, so that’s not surprising.
I went further, trying to figure out who owns this thing…
I found a domain on that server, with this whois info:
Danyelle Christian
Danyelle Christian (mortiis@ukr.net)
Chocho Street 16
Highland Beach
null,96365
US
Tel. +09.6070231
Fake name and address, in other words.
Those domains and that whois info is implicated in browser hijacking in the past. McAfee christened a trojan associated with one of the domains StartPage-FX.
September 5th, 2005 at 5:12 am
Some wiki spammers have automated the process of creating orphan pages. The pages are given garbed textual names or just numeric names.
As you say. It’s a good way to sneak under the radar, particularly on small wikis where the administrator is only really using it as a single-page wiki.
It can’t be a very good page rank tactic though, because an orphan page by definition does not have any incoming links (except temporarily on ‘recent changes’)
Another similar trick I’ve noticed on mediawiki installations: The default installation makes links to various pages such as ‘General Disclaimer’. These pages are linked to throughout, but often administrators never bother to create a legitimate version of these default pages, and never notice if a spammer does the job for them. See http://wiki.chongqed.org//MediaWikiDefaultPagesSpam
September 26th, 2005 at 9:26 pm
I am being forced to make the script I use to fight my particular WikiSpammers more and more sophisticated. There is no built-in index command for PhpWiki1.2 and the spammers have been creating new pages and then spamming the “RecentChanges” page, forcing me to perform a search to see it. I don’t know what good they think this does since there are no links to the page.
The most obnoxious spammer is one associated with o n - l i n e p h a r m a c y. I would SURE like to be able to retaliate somehow! This guy has a bot that works heaviest on the week-ends. Sometimes spamming repeatedly 10-20 pages over a period of a couple of hours.
Roy.