Every special page wiki spammer
I had a visit from a spammer that spams every special page that I’ve never heard of on MediaWiki. Pages with weird names. Pages that didn’t exist, because most of them were talk pages for possibly existing pages. I have no idea how many pages he spammed. More than 30, would be my guess. He also tagged some talk pages for existing users. And he completely filled them with porn links.
So, here’s a short rundown. I’ve got more, but will try to condense it some.
IP addresses used to spam for. Interesting, because the first five I checked, were all Asian:
58.79.206.53
58.226.83.170
58.230.250.23
59.19.214.176
59.21.210.203
59.150.200.40
61.33.174.189
61.35.176.77
61.248.35.110
67.15.42.29
124.49.135.22
124.61.111.177
163.180.200.211
165.229.48.30
194.117.134.196
202.54.61.99
203.81.136.101
203.236.103.196
210.91.187.248
210.92.103.94
210.92.158.98
211.38.113.101
211.38.191.144
211.50.92.91
211.104.149.173
211.113.213.132
211.178.129.104
211.195.40.226
211.217.137.77
211.219.6.246
211.221.210.158
211.213.131.228
218.25.163.18
218.52.58.26
218.108.24.117
218.145.101.210
218.152.81.57
218.209.42.100
218.209.208.189
219.238.187.3
219.248.66.109
220.3.92.45
220.72.163.175
220.87.148.37
220.124.118.210
220.124.234.54
220.231.30.34
221.149.59.96
221.153.11.138
221.165.123.131
221.165.193.67
222.108.150.107
222.118.179.165
222.111.167.19
The spamvertized domains were:
1domiks.org
1ebalo.org
1foleks.org
1golod.org
1hrens.org
1ibanusiks.org
1jolla.org
IP addresses of webhosts:
74.52.17.161
74.52.17.162
74.52.17.163
The pages all had iframes that showed an affiliate page at 100 % og width and 5000 pixels height.
Affiliate: yourfreevids.com id=751
These e-mail addresses were used:
krun@mail333.com
letuns@mail333.com
stoker@mail333.com
Whois info is most likely fake, but here it is, in case someone’s searching for exactly that data:
Registrant Name:Bilanov
Registrant Organization:1dil
Registrant Street1:Vore 67543
Registrant City:Blin
Registrant State/Province:0
Registrant Postal Code:15478
Registrant Country:MX
Registrant Phone:+746.786546786
Registrant Name:Kakauya raznica
Registrant Organization:1hren
Registrant Street1:ddd 15
Registrant City:Fedor city
Registrant State/Province:0
Registrant Postal Code:76454
Registrant Country:BR
Registrant Phone:+764.768456456
Registrant Name:Pizdec komuto
Registrant Organization:Pizdec
Registrant Street1:debilov 98746354
Registrant City:blya
Registrant State/Province:0
Registrant Postal Code:47852
Registrant Country:AR
Registrant Phone:+452.48678654467
——-
I checked Google for the e-mail addresses, and hit paydirt. One of the e-mail addresses had been used to spamvertize a subdomain on dia-host.com January 2005.
The website is no longer active, but the whois is:
DiabloCompany
Diablo (admin@new-incest.com)
Garvard 2-10
Oklahoma
null,655158
ES
Tel. +91.2228797504
I found that exact whois info on coolsearcher.net, which has been found to contain malicious downloads (see the Description pane here). I also found references to new-incest.com at sites warning about CoolWebSearch hijackers.