Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Wikipedia: Mediawiki

bot intrusion?

  

 
Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded


Hullen at t-online

Aug 11, 2008, 12:35 PM

Post #1 of 10 (1293 views)
Permalink
bot intrusion?
Hallo,

in the apache logfiles of my Wiki

http://arktur.de/Wiki

I find sometimes such lines (shortened):


"GET /Wiki/index.php?title=http://example.tld/some-side.htm? HTTP/1.1" 301
"GET /Wiki/index.php?title=Http://example.tld/some-side.htm%3F HTTP/1.1" 200

They always differ in "[Hh]ttp" and in "htm(?|%3F)", the second line is
always accepted from Mediawiki.

I had updated Mediawiki last week to 1.12.0 - no change.

Is that a behaviour which may be dangerous?

Viele Gruesse!
Helmut

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


michael.daly at kayakwiki

Aug 11, 2008, 3:13 PM

Post #2 of 10 (1261 views)
Permalink
Re: bot intrusion? [In reply to]
Helmut Hullen wrote:

> "GET /Wiki/index.php?title=http://example.tld/some-side.htm? HTTP/1.1" 301
> "GET /Wiki/index.php?title=Http://example.tld/some-side.htm%3F HTTP/1.1" 200


That's spam. Example.tld is likely coming from Russia (i.e. the real
domain is something.ru) - at least that's what I'm getting.

I've added some statements to my Apache <VirtualHost> sections to use
mod_rewrite to send back a 403 (forbidden URL) message:

RewriteCond %{REQUEST_URI} ^title=.*http: [OR,NC]
RewriteCond %{REQUEST_URI} ^/index\.php/.*http: [OR,NC]
#... other forbidden stuff...
RewriteRule ^(.*)$ http://example.com [F,L,R]

That seems to catch most of it.

Mike




_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Hullen at t-online

Aug 12, 2008, 12:02 AM

Post #3 of 10 (1263 views)
Permalink
Re: bot intrusion? [In reply to]
Hallo, Michael,

Du (michael.daly) meintest am 11.08.08:

>> "GET /Wiki/index.php?title=http://example.tld/some-side.htm? HTTP/1.1" 301
>> "GET /Wiki/index.php?title=Http://example.tld/some-side.htm%3F HTTP/1.1" 200


> That's spam. Example.tld is likely coming from Russia (i.e. the real
> domain is something.ru) - at least that's what I'm getting.

Some days ago I got more than 16 requests from Canada.

> I've added some statements to my Apache <VirtualHost> sections to use
> mod_rewrite to send back a 403 (forbidden URL) message:

> RewriteCond %{REQUEST_URI} ^title=.*http: [OR,NC]
> RewriteCond %{REQUEST_URI} ^/index\.php/.*http: [OR,NC]
> #... other forbidden stuff...
> RewriteRule ^(.*)$ http://example.com [F,L,R]

Thanks - I'll try.

Viele Gruesse!
Helmut

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Hullen at t-online

Aug 25, 2008, 1:28 PM

Post #4 of 10 (1182 views)
Permalink
Re: bot intrusion? [In reply to]
Hallo, Michael,

Du (michael.daly) meintest am 11.08.08:

>> "GET /Wiki/index.php?title=http://example.tld/some-side.htm?
>> HTTP/1.1" 301 "GET /Wiki/index.php?title=Http://example.tld/some-sid
>> e.htm%3F HTTP/1.1" 200


> That's spam. Example.tld is likely coming from Russia (i.e. the real
> domain is something.ru) - at least that's what I'm getting.

> I've added some statements to my Apache <VirtualHost> sections to use
> mod_rewrite to send back a 403 (forbidden URL) message:

> RewriteCond %{REQUEST_URI} ^title=.*http: [OR,NC]
> RewriteCond %{REQUEST_URI} ^/index\.php/.*http: [OR,NC]
> #... other forbidden stuff...
> RewriteRule ^(.*)$ http://example.com [F,L,R]

> That seems to catch most of it.

Doesn't work - sorry.

Just another idea:
This spambot always asks "<wiki-dir>/index.php", and that skript always
could detect

title=http://xyz
or
title=Http://xyz

In my Wiki I've never seen an allowed query string with an URL as title:
mediawiki should (as far as I can see) detect such titles as errors.

How and where could I patch the "index.php"?

Viele Gruesse!
Helmut

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


brion at wikimedia

Aug 25, 2008, 3:25 PM

Post #5 of 10 (1187 views)
Permalink
Re: bot intrusion? [In reply to]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Helmut Hullen wrote:
> In my Wiki I've never seen an allowed query string with an URL as title:
> mediawiki should (as far as I can see) detect such titles as errors.
>
> How and where could I patch the "index.php"?

Sounds like you want the TitleBlacklist extension.

- -- brion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkizMUEACgkQwRnhpk1wk471zwCgqkg+PG9YAW16Zwd60vhcKV/6
SzQAnAka7uYdeXAJ9udHsXeAugdv88NO
=fHpz
-----END PGP SIGNATURE-----

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Hullen at t-online

Aug 26, 2008, 4:11 AM

Post #6 of 10 (1184 views)
Permalink
Re: bot intrusion? [In reply to]
Hallo, Brion,

Du (brion) meintest am 25.08.08:

>> In my Wiki I've never seen an allowed query string with an URL as
>> title: mediawiki should (as far as I can see) detect such titles as
>> errors.
>>
>> How and where could I patch the "index.php"?

> Sounds like you want the TitleBlacklist extension.

Should work ...
I've followed the instructions at

http://www.mediawiki.org/wiki/Extension:Title_Blacklist

I've created my own list:

http://arktur.de/Wiki/index.php?title=MediaWiki:Titleblacklist

with my special rule

index.php?title=[hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles

but it doesn't send any error message if I call

http://arktur.de/Wiki/index.php?title=Http://hullen.mydyn.de

What is wrong?

Viele Gruesse!
Helmut

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Platonides at gmail

Aug 27, 2008, 2:25 PM

Post #7 of 10 (1174 views)
Permalink
Re: bot intrusion? [In reply to]
Helmut Hullen wrote:
> with my special rule
>
> index.php?title=[hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
>
> but it doesn't send any error message if I call
>
> http://arktur.de/Wiki/index.php?title=Http://hullen.mydyn.de
>
> What is wrong?
>
> Viele Gruesse!
> Helmut

Your entry should be
[hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles

I don't know the topic of your wiki, but i'd check against http:// just
in case someone want to create an article about the protocol. Also, the
check is case insensitive (casesensitive wasn't specified), so no need
for [hH]


_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Hullen at t-online

Aug 28, 2008, 4:59 AM

Post #8 of 10 (1171 views)
Permalink
Re: bot intrusion? [In reply to]
Hallo, Platonides,

Du (Platonides) meintest am 27.08.08:

>> with my special rule

>> index.php?title=[hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf>
>> # alles
>>
>> but it doesn't send any error message if I call
>>
>> http://arktur.de/Wiki/index.php?title=Http://hullen.mydyn.de
>>
>> What is wrong?

> Your entry should be
> [hH]ttp <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles

I've changed the entry in

http://arktur.de/Wiki/MediaWiki:Titleblacklist

to

http <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles

but it still doesn't work:

http://arktur.de/Wiki/index.php?title=http://hullen.mydyn.de

is still allowed

> I don't know the topic of your wiki, but i'd check against http://
> just in case someone want to create an article about the protocol.

Mediawiki doesn't allow "http://" - sorry.
May I put this string into "<nowiki>"?

What ist (still) wrong?


Viele Gruesse!
Helmut

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Platonides at gmail

Aug 28, 2008, 7:41 AM

Post #9 of 10 (1161 views)
Permalink
Re: bot intrusion? [In reply to]
Helmut Hullen wrote:
> I've changed the entry in
>
> http://arktur.de/Wiki/MediaWiki:Titleblacklist
>
> to
>
> http <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
>
> but it still doesn't work:
>
> http://arktur.de/Wiki/index.php?title=http://hullen.mydyn.de
>
> is still allowed

However, http://arktur.de/Wiki/index.php?title=Http&action=edit is not
So you'd need http.*

> Mediawiki doesn't allow "http://" - sorry.
> May I put this string into "<nowiki>"?

Internally, the separator is /, you'd need to escape them: http:\/\/.*


_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l


Hullen at t-online

Sep 12, 2008, 4:42 AM

Post #10 of 10 (1054 views)
Permalink
Re: bot intrusion? [In reply to]
Hallo, Platonides,

Du (Platonides) meintest am 28.08.08:

>> I've changed the entry in
>>
>> http://arktur.de/Wiki/MediaWiki:Titleblacklist
>>
>> to
>>
>> http <autoconfirmed|noedit|errmsg=Fehlaufruf> # alles
>>
>> but it still doesn't work:
>>
>> http://arktur.de/Wiki/index.php?title=http://hullen.mydyn.de
>>
>> is still allowed

> However, http://arktur.de/Wiki/index.php?title=Http&action=edit is
> not So you'd need http.*

>> Mediawiki doesn't allow "http://" - sorry.
>> May I put this string into "<nowiki>"?

> Internally, the separator is /, you'd need to escape them:
> http:\/\/.*

That doesn't do the job completely - sorry.

Yesterday I had more than 40 pairs of bot tries like the following:

a-b-c-216-020-xxx.example.com - - [11/Sep/2008:14:30:16 +0200] "GET
/Wiki/index.php?title=Http://204.2.183.2/babycaleb/index.htm%3F HTTP/
1.1" 200 9244 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;
.NET CLR 1.1.4322; .NET CLR 2.0.50727)"
a-b-c-216-020-xxx.example.com - - [11/Sep/2008:14:30:16 +0200] "GET
/Wiki/index.php?title=http://204.2.183.2/babycaleb/index.htm? HTTP/1.1"
301 - "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
1.1.4322; .NET CLR 2.0.50727)"

(URLs changed in some places)

Mediawiki accepts the first try and rejects the second.

And I don't know what happens with the accepted request.

I've looked into the file "index.php"; a switch " String 'http://' is
forbidden" or so may do the desired job, but I don't know where is the
best place for it.

Viele Gruesse!
Helmut

_______________________________________________
MediaWiki-l mailing list
MediaWiki-l[at]lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l

Wikipedia mediawiki RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.