MainDoctor WhoMusicSoftware
Main Page

Alden Bates' Weblog

Feigning normality since 1973

Pukiwiki spammer

Filed in: Spam.

So recently one idiot has been attempting to spam my comments here repeatedly. Despite getting 403 errors, he continues to blat the script 150 or so times per go, sometimes 30 or 40 times per second. Most of the hits originated from the RIPE network (Europe, plus bits of Asia and the Middle East), so these are likely compromised computers. Some hits were from IP addresses owned by photobucket.com (I've notified them).

The spam comments were random text from other sites, and random names - the common factor were the links to files on three pukiwiki sites (www.kde.gr.jp, fansub.andrewlb.com, and laszlo.jp). The pages linked to were user uploaded files (webmasters, don't let random people upload files willy nilly! That's just asking for trouble!) containing spammy porn terms and encrypted javascript redirecting users to alien.js on ncfab.org. alien.js fakes an error page and logs the hit if it happens to be coming from a search engine (and probably infects the browser with a nasty virus).

ncfab.org may, at one time, have been owned by the "Nordic Centre For Artists' Books", but the current registration info is fake (the Cyprus address belongs to a real estate agent.) so it's probably either expired or been hijacked.

Bruce Simpson believes that the problem of zombie PCs may ultimately solve itself when terrorists realise they can pay hackers who have networks of compromised PCs to DOS important sites. At this point, the botnet problem would suddenly become very important to the US government. Personally I doubt any terrorist groups would bother...

Posted December 15, 2006 7:33 PM

Comments

I can see it now: "Protect your PC from terrorists: Wrap it in duct tape."

--

My self-made guestbook is getting the same problem - spammers keep hitting it, even though it's completely useless to them now.

If this continues, I might try to get two birds with one stone by 301-redirecting anyone with a blocked IP to one of the websites that they advertise...

Posted by: Arancaytar | December 15, 2006 10:55 PM

Hi. I'm one of maintainers of PukiWiki.

I also found this type of attach-spamming, on the old version's PukiWiki at several site, from this week.

About kde.gr.jp, I noticed it at December 12, then they update and/or cleanup and/or stop these PukiWikis. (I'm surprized they notice me closing by one hour)

About fansub.andrewlb.com, I found and noticed about one PukiWiki yesterday. The webmaster said s/he will notify that to the client, and will correct by her/himself if the client didn't correct that by one day.

About laszlo.jp, I don't find the doubtful path of URL, but I noticed this topic to the webmaseter.

I will (re-)post this matter to PukiWiki users by ML and official site.

Thanks

Posted by: heno | December 16, 2006 12:57 AM

Hi, I was told about the issue by one of the pukiwiki admins. The issue was a site I was hosting for a friend, and it's been resolved insofar as I am aware.
Sorry for the bother it's caused.

Posted by: AndrewLB | December 16, 2006 3:35 AM

Cool, glad you've resolved the problem on your site. :)

Posted by: Alden Bates | December 16, 2006 8:57 AM

Puki wiki wiki wild west.

Posted by: Artemus Gordon | December 28, 2006 7:38 PM

Tetrap.com Site Map