Random numbers edits on wikis
On my other wiki, I’ve had a rash of edits where the editor left random numbers and nothing else. Added on to blank pages, and at the bottom of populated pages. The numbers are always different. Here are some examples:
336234641135702647895605 - 200.176.229.236 cm-virtua-poa-C8B0E5EC.dynamic.brdterra.com.br
777322549507730590193372 - 200.179.207.13 20713.rjo.virtua.com.br
462763863953269399265857 - 65.98.32.16 FortressITX
14755179620817222574718 - 66.114.171.47 bizsig.webex.com
432350101939458677857224 - 218.119.214.71 softbank218119214071.bbtec.net
278494673457118851373917 - 130.227.200.43 Tele2 in Denmark
57490997966354632647955 - 64.12.187.244 egweb-m01.groups.aol.com
They had two different user agents:
“-”
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
One of the IP addresses also tried to validate an account on my forum on that site - and the same code was entered from several IP addresses, some trying several times:
222.105.77.236
59.7.18.115
80.58.205.35
130.227.200.43
219.144.196.226
User agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
The username was: splitcam2008
And it’s been used on other forums, with spammed profiles spamvertizing this domain:
splitcamera.com
Registered at joker, with this whois:
Removed whois, because of this discussion about the splitcamera spamming.
Remember, one misused IP address could be used by several spammers, so one may not necessarily be connected to the other.
Speculation?
Update:
Will at Nanonengineer has collected more speculation
June 24th, 2006 at 7:28 am
I remember a while ago Justin Mason pointing out breadcrumbs left by Nigerian scammers to say “I’ve done this one”. I wonder if it’s a variation on that theme.
Or just broken spamware.
June 24th, 2006 at 8:16 am
To Matt,
I doubt it. Some of the pages were absolute virginal. Never been added content to.
June 24th, 2006 at 2:03 pm
No idea if they’re related, but I got a few spam posts for numeric domains on one of my forums today, e.g.
416983032 [url=h*tp://www_480429077_com]480429077[/url] h*tp://www_139138793_com
That was the entire post (slightly edited: dots to underscores and h*tp instead of http to prevent linkage)
June 24th, 2006 at 2:04 pm
I’m just curious why you allow blank user agents on your sites.
Install a good UA filter and it’ll stop a lot of automated tools.
Also, consider putting a captcha on your wiki to stop the rest.
June 24th, 2006 at 8:09 pm
Some sort of test/probe perhaps? Maybe they send the bots back later to see if the random numbers are still there. If they are, it means:
1) “whatever this bot is doing” got through, i.e. they’re testing the defenses of the website, and
2) the wiki is not well-policed, and thus a better target for wiki-spamming.
June 24th, 2006 at 10:19 pm
Recently I have seen similar edits a lot. It is not a recent invention though this pattern is new and it seems more common lately. On my honeypot wiki, one was done as page section edit of the last section on the page and only added 47614383212899288105565. What seems most likely to me is testing for unmonitored wikis like Chris said. I have yet to see any proof of it though. I am really interested to find out if there are any hits later to those pages that seem unusual, especially a search engine referrer looking for that string of numbers.
June 30th, 2006 at 11:58 am
Yeah, we’ve been getting a *lot* of these. Numeric strings of either 18 or 20 characters long; often but not always creating a new page.
A friend speculates that they are a malfunctioning spambot.
We’ve using MediaWiki software, and just enabled proxy blocking ($wgEnableSorbs) and I just added $wgSpamRegex which blocks edits that include the prohibited matched text. I think I’m going to add 16-digit numeric strings to the $wgSpamRegex and see if that helps.
July 8th, 2006 at 12:59 pm
I’ve also been seeing a lot of this on a Mediawiki installation. Laura, thanks for the info about $wgEnableSorbs. Here is what I just added to my $wgSpamRegex, I don’t yet know if it will catch these things:
“^\s*[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+\s*$”.
I made this the last item (right before the “/i” line), so I added “|” to the end of the previous regex to “or” this in with the others. The period at the end is a string concatenation. I found info about PHP regexes at http://weblogtoolscollection.com/regex/regex.php.
July 9th, 2006 at 2:09 pm
It turns out I got too clever, trying to use “^” and “$” to identify the beginnings and endings of lines. That didn’t catch the numerical spam. Also I didn’t previously know about “{m,n}” as a regex way to specify a number of repetitions. Here’s what I’ve got now: “[0-9]{20,50}”
July 21st, 2006 at 8:16 am
Thanks Will, that seems to be working on my site!
These numbers were driving me crazy. I still have no clue what they are…