Wiki editing blocked (vandalism)

I decided to block any form of editing to the ossec wiki for reasons of vandalism. If you look at the wiki recent changes page you will see the changes that were made. Most of them were very strange to me, like removing every + (plus) from the pages or removing all the content (without adding any spam link or anything). Anyone seeing similar patterns?

After some log analysis I found that all the changes were made by the same IP address (200.238.102.170) across the last three days…

Sample log:


200.238.102.162 – - [11/Apr/2007:18:00:35 -0300] “GET /wiki/index.php?title=Log_Samples_Lotus_Domino&action=edit HTTP/1.1″ 200 6702 “http://www.ossec.net/wiki/index.php/Log_Samples_Lotus_Domino” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”

200.238.102.170 – - [11/Apr/2007:17:08:36 -0300] “GET /wiki/index.php?title=Log_Samples_Solaris&action=edit HTTP/1.1″ 200 6667 “http://www.ossec.net/wiki/index.php/Log_Samples_Solaris” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)”

How do you guys handle vandalism/spam on your wikis? Any suggestion? Until I can find a solution to this, send me an e-mail if you need to edit the wiki.

This entry was posted in log analysis, wiki. Bookmark the permalink.

2 Responses to Wiki editing blocked (vandalism)

  1. eh says:

    Hi Daniel.

    I read this yesterday:
    http://linuxbox.org/pipermail/funsec/2007-April/011747.html

    Coincidence ? I don’t think so.

    cheers

  2. I use pmWiki, and use .htpasswd for authentication

    but this may be a lot of work for your site?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>