Wiki SPAM!!!
I was quite surprised to find my server had been somewhat "compromised" so to speak. I was always focused on fighting spam in email, but overlooked other vulnerabilities.
Occasionally I would happen to notice strange wiki entry references in the logs. I never put two and two together until today. I saw where Google had a number of spam appearances attributed to my domain. So I scoured the logs more thoroughly and found the wiki server had been set up to allow "unauthenticated" posts. Amazing, and even more so that this is a default!?! I couldn't believe it.
The "unauthenticated user" had created a "Publications" entry back in 2008. Again, WTF?!? (And that isn't a reference to the CIA's "WikiLeaks Task Force" either...) There were, for the most part, some what appeared to be legitimate posts. A lot of the entries had photos that added to the story. There were over 20 pages, each with many posts, going back to 2008. They were posted with somewhat frequent regularity. The latest was posted last night at 02:00 or so.
A quick Google search really didn't reveal a canned, step by step fix. I did see reference to how this configuration is a spam magnet. How true...
I decided to dive in to the configuration and see if I could figure it out. I don't know if this will work, but since my address has been a regular target, only a day or two will tell if I have been successful.
In the end, I created a group that has permissions to make / edit a wiki post (and I hope this rolls to the blog entries, too.) Essentially, since this is a small server, it isn't difficult to manage. On a larger scale, an automated config should be created. In essence, I just added users to a group that allows wiki posts. The next step was to configure the wiki server to only accept posts from that group of users. (It was here in Server Admin that I finally noticed the "Wiki Allows Posts by Everybody".
Sheesh! For folks like me, I would sure appreciate the default to explicitly reject posts by everyone and require specific permissions. It make me wonder just how many other compromised installations may be scattered around the Internet. Even more interesting, it make me think of some of the Google links I have followed... Some of the posts buried in my wiki / blog server looked suspiciously similar in content and style to ones I have visited.
Sure the idea is to drive traffic to your server... But this is NOT the right method!
Occasionally I would happen to notice strange wiki entry references in the logs. I never put two and two together until today. I saw where Google had a number of spam appearances attributed to my domain. So I scoured the logs more thoroughly and found the wiki server had been set up to allow "unauthenticated" posts. Amazing, and even more so that this is a default!?! I couldn't believe it.
The "unauthenticated user" had created a "Publications" entry back in 2008. Again, WTF?!? (And that isn't a reference to the CIA's "WikiLeaks Task Force" either...) There were, for the most part, some what appeared to be legitimate posts. A lot of the entries had photos that added to the story. There were over 20 pages, each with many posts, going back to 2008. They were posted with somewhat frequent regularity. The latest was posted last night at 02:00 or so.
A quick Google search really didn't reveal a canned, step by step fix. I did see reference to how this configuration is a spam magnet. How true...
I decided to dive in to the configuration and see if I could figure it out. I don't know if this will work, but since my address has been a regular target, only a day or two will tell if I have been successful.
In the end, I created a group that has permissions to make / edit a wiki post (and I hope this rolls to the blog entries, too.) Essentially, since this is a small server, it isn't difficult to manage. On a larger scale, an automated config should be created. In essence, I just added users to a group that allows wiki posts. The next step was to configure the wiki server to only accept posts from that group of users. (It was here in Server Admin that I finally noticed the "Wiki Allows Posts by Everybody".
Sheesh! For folks like me, I would sure appreciate the default to explicitly reject posts by everyone and require specific permissions. It make me wonder just how many other compromised installations may be scattered around the Internet. Even more interesting, it make me think of some of the Google links I have followed... Some of the posts buried in my wiki / blog server looked suspiciously similar in content and style to ones I have visited.
Sure the idea is to drive traffic to your server... But this is NOT the right method!
