Ticket/Wiki vandalism on MapGuide trac

[jng]

Someone/something is spamming a whole bunch of junk tickets and wiki content on the MapGuide trac instance.

​https://trac.osgeo.org/mapguide/timeline (see activity of Jun 29, 2016)

I don't seem to have any ability to ban these users or lock down the trac instance in any way.

Please advise proper procedure/solution ASAP.

[strk]

Please have a read at ​https://wiki.osgeo.org/wiki/Trac_Instances#Trac_Spam

Then visit the admin panel and mark spam entries as such: ​https://trac.osgeo.org/mapguide/admin/spamfilter/monitor

Please do the marking _before_ deleting the entries, so the bayes databas will have more data to use for next time.

Also keep a list of the spammer users so we can remove/block those accounts. Thanks.

[jng]

I don't seem to have a spam filter panel on the admin (​https://trac.osgeo.org/mapguide/admin/spamfilter/monitor displays "Unknown administration panel")

[jng]

Here's a list of spam users I've grepped so far:

5589
Mittchel001
balluji1989
buddhazon
bunty123
dinesh121
emilymorris912
jensi2
johnplay1
millerjuliabel
nagar85
nehashaikh1214
pranay221
seanpenn0903
shamkaruma
singhraghuram19
smmsmie
spyindia12
watpad6

[strk]

You should have the admin panel now. I have added you as SPAM_ADMIN. Please use with care. Thanks for the list. I'm doing bayes training too. Please check out the BadContent wiki page (see the wiki link) so we don't step on each other though...

And consider getting on #telascience IRC channel on freenode for live coordination

[strk]

All the reported users have been removed. I've seen the BadContent page has been improved, and the bayes database is also much stronger now :)

[jng]

It's been real interesting watching the timeline shrink and grow as the spammers/filters battle it out :)

Thanks for the swift responses.

[strk]

ubuntugis is also being hit by some of the same smappers, want to take a look / help with BadContent ?

The timeline shrinked also due to SQL DELETE statements :)

[jng]

I should actually be asleep now :) So before I sign off:

I don't think I'm admin on the Fusion trac instance. I think that instance could also be potentially vulnerable (that instance has no BadContent wiki page and I can't create wiki pages on that one)

Also some more spam users:

karan01
khalifa1

[strk]

Those two users are also gone now, and timeline is all clean. Thanks for your time and for the help you might give to others in your same situation.

I will make you SPAM_ADMIN on the Fusion trac instance too. File a ticket if you still cannot create that page when you wake up.

[neteler]

Replying to strk:

All the reported users have been removed. I've seen the BadContent page has been improved,

Could this improved BadContent page be propagated to the other trac instances?

[strk]

I'd be afraid of overriding some good content found in others. But I guess a script could be made to pick all distinct lines from all BadContent pages. Want to file it as a ticket ?

[jng]

More spam users to clean out

joyakn
john11
amskiemee

[strk]

Users removed, spam cleaned. NOTE: only one of these 3 accounts were created yesterday, the other were idle for longer:

 amskiemee: 20160629143105Z
 john11: 20160430220803Z
 joyakn: 20160509180402Z

[jng]

I see this junk ticket created by "Administrator": ​https://trac.osgeo.org/mapguide/ticket/2667

Is this an actual OSGeo admin (you or someone else on the SAC?)

[strk]

It's a spam user, idling since 2013 and with some mofifications from October 2015:

createTimestamp: 20130314092005Z
modifyTimestamp: 20151008045745Z
mail: evil.evolution@yahoo.com

[strk]

OSGeo user "administrator" deleted, and all its content on trac cleaned.

[jng]

More spam accounts

amksjimmee
joyak

[strk]

Deleted, togheter with 'officalravi4', also spamming mapguide. Spam content from them all cleaned. I've also done some bayes training on mapguide - we now have lots of spam entries known, but no ham.

[jng]

Nearly 2 weeks later, no spam activity since (yay!), but I did find some residual damage in some submitted tickets.

• ​https://trac.osgeo.org/mapguide/ticket/2188
• ​https://trac.osgeo.org/mapguide/ticket/727
• ​https://trac.osgeo.org/mapguide/ticket/1225
• ​https://trac.osgeo.org/mapguide/ticket/2505

The spam accounts modified the summary fields of these tickets, is it possible to rollback these summary field changes?

[strk]

It looks like my cleanup script was more destructive than intended. Records in "ticket_change" table include both old and new values on summary change, but the old value is replaced by the new value in teh "ticket" table.

So now the only way to find the original summary would be to find those values in some backup and bring it back. I'll look at improving the script to perform a better rollback.

[strk]

I've manually reset the summary to the value those 4 tickets had as of June 4th, 2016. Let me know if you find more ruined tickets.

The script was updated to properly rollback these kind of changes.

[jng]

Nope, that's the only ones I've encountered. Thanks.

[jng]

Actually, I missed these 2 tickets that still had spam summaries.

• ​https://trac.osgeo.org/mapguide/ticket/2405
• ​https://trac.osgeo.org/mapguide/ticket/2528

That's definitely the last of them (manually searched "tech" and "support" just to check)

[strk]

2405 and 2528 summary reverted to that of 2016-05-04

[jng]

More spammers:

karan12
jeshmin013

These spam users also made spam wiki content on this particular instance (osgeo) as well in addition to the MapGuide one. Check Aug 24 activity on the osgeo instance timeline

[strk]

Both users were created on August 24, 2016:

jeshmin013: 20160824204613Z madhurana013@gmail.com -- registered from 103.38.68.99
karan12: xcvcfngnhfg@gmail.com 20160824202750Z -- registered from 103.38.68.99

Another user created from that same IP is:

kolakola: mightywarner@gmail.com 20160826013806Z

User 'kolakola' hasn't been found spamming yet.

I've removed users karan12 and jeshmin013, cleaned up trac spam submitted by them and trained the spam filter for the "osgeo" trac instance (not for others, please do!).

The "mantra" is obviously in the hands of spammers by now, so I changed it.

Please file a *new* ticket for future spam users reports.

[strk]

For the record: I've found spam attempts by 'kolakola' against the osgeo trac instance (successfully blocked by the spam filter) and thus disabled the account.