User Tools

Site Tools


rogue_users_creating_pages

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

rogue_users_creating_pages [2012/11/05 09:30]
rogue_users_creating_pages [2015/04/10 07:32] (current)
Line 1: Line 1:
 +====== Cyber criminals misusing other peoples websites ======
  
 +The following is an overview and a list of people/identities/IP's who are either cyber criminals who have been trying to misuse my websites for SEO SPAMMING purposes and possibly other stuff as well as possibly IP's or people that have been misused as address holders for SPAMMERS and other cyber criminals.
 +
 +The addresses here could be people who could be innocent and the companies listed may not be aware that SPAMMERS are using such methods to artificially boosting SEO results.
 +
 +However this is so serious and unfortunately not the first time someone is trying to make it impossible for me to conduct business on the Internet.
 +
 +The last time something similar happened, instead of finishing coding my free application for people suffering from Aphasia, MS, ALS, Cerebral Palsy and other disabilities, I had to spend my entire holiday otherwise set aside for this cause to clean up in the mess that some cyber criminals had done to my pages.
 +
 +In an ironic twist of fate now precisely the same thing is happening again when I am attempting to launch a unique fund raiser for a notable cancer charity in the spirit of Movember.
 +
 +Either way - Please assist me in tracking down the individuals behind these pseudonyms IP's and email addresses and help me in contacting the companies as well and have them take action against those people who have possibly and quite probably fraudlently, sold their SEO boosting services to them, for they are in a way victims as well if they are not in the know of said methods.
 +
 +Help me in this endeavour, so that we can clean up the web and weed out those that have no purpose other than to leach on the works of others and who actively in doing so thwart efforts aimed, at making the lives of other people better and more enjoyable.
 +
 +I hope this list will not continue to grow and hope you will assist me in finding out who these people are so we can make it stop.
 +
 +I will try to be listing the findings of the investigation as I see appropriate.
 +
 +
 +====== Measures to take ======
 +
 +The first time it happened I was in a state of should I say panic, I removed files - set up temporary index files and meticolously scanned each and every file as the automated backups done by the provider unfortunately were also tainted to a degree that I basically had to start from scratch.
 +
 +This time around I have tried to block user creation etc. and hopefully tightening security enough on the installation enough to prevent any further privilege escalations.
 +
 +I am considering abandoning altogether the wiki structure altogether and making my own page generation tool in HTML - but it seems like a very drastic move.
 +
 +===== Disable DokuWiki actions: =====
 +
 +There are a slew of recommendations from the Dokuwiki team - but here are a couple that were not set by default, probably as it kinda defeats the purpose of the wiki concept as a collaborative tool.
 +
 +**Register** - To prevent new users from being created
 +
 +**Update Profile** - To prevent the people from changing their details to avoid detection etc.
 +
 +==== Contact ====
 +
 +Contacted Google: http://support.google.com/mail/bin/request.py?&contact_type=abuse
 +
 +I am in the discovery process at the moment but during this investigation I will be, where I deem it appropriate be trying to contact companies who have been involved. They are also welcome to contact me.
 +
 +I will likely be contacting law enforcement agencies in the countries where said pages and users/IP's are registered (block wise) so that they can take action if they deem it is possible and needed.
 +
 +I will be contacting security specialists and try to list some strategies on how to avoid these kind of problems in the future.
 +
 +The ISP's behind the IP addresses, the ISP behind the email addresses, as well as the hosting companies behind the companies.
 +
 +It might be possible to shut the companies down that hire blackhat's to boost their marketing unless they are willing to engage in legal actions against the cybercriminals that have been working for them also it might be possible to have the ISP's blacklisted who are allowing their users to perpetrate such acts, that is if the ISP's do not take legal action against these people.
 +
 +====== Usernames, IP, email addresses and pages ======
 +
 +
 +Usernames, IP, email addresses and pages involved in the misuse of my page
 +
 +rashida998 - SPAMMER, misuse of wiki on behalf of http://satellitedirectreviewsy.com/
 +
 +a_testing_posting_about_google
 +
 +effortless_advice_in_school_administration_software_-_some_thoughts
 +
 +<code>
 +
 +------------------------------------------------------------------------------------------------------
 +  antoine335 Clayton Lenihan clerk0bolt@yahoo.co.uk user
 +        User name : antoine335
 +        Full name : Clayton Lenihan
 +        E-mail : clerk0bolt@yahoo.co.uk
 +
 +        Date : 2012/11/04 16:02
 +        Browser :
 +        IP-Address : 78.87.104.208
 +        Hostname : 78-104-208.adsl.cyta.gr
 +------------------------------------------------------------------------------------------------------
 + atrufiar sergio alexandre atrufiar@gmail.com user
 + beulah957 Earnest Coronel silveracoree@gmail.com user
 + boyd967 Deneen Harte john@accordionman.us user
 + chong661 Mammie Willson hS8VDwR0@mailinator.com user
 + christal125 Alva Doggett Crw2WLwU@gmail.com user
 + christal582 Earlean Vandeusen john@accordionman.us user
 + claud773 Dana Willson aD2okF4s@gmail.com user
 + daniell795 Vina Fellows john@accordionman.us user
 + dennis148 Roxann Sadler radikal@mail333.com user
 +------------------------------------------------------------------------------------------------------
 +User name : dennis148
 +Full name : Roxann Sadler
 +E-mail : radikal@mail333.com
 +
 +Date : 2012/11/04 07:28
 +Browser :
 +IP-Address : 212.255.247.249
 +Hostname : 212.255.247.249
 +
 +The following information on the IP was found via tools - it does not prove guilt by association, 
 +it merely shows us potentially where the user came from when the user was made - However it is 
 +possible to spoof IP addresses etc. so further investigation is needed and this might be the address 
 +of an unknowing victim who has had his home system hacked and is unwittingly providing the 
 +SPAMMER/CYBERCRIMINAL with a "safe haven" from which to operate.
 +
 +LOCATION INFORMATION:
 +IP Address   212.255.247.249     Area Code   -
 +Country Code   DE       IDD Code   49
 +Country Name   Germany Germany     Time Zone   +01:00
 +Region           Hessen       ISP   Ecotel Intern - Sba Platforms
 +City           Frankfurt Am Main   Domain   -
 +Connection Type DSL
 +Coordinates   Google Map 50°7'0"  8°40'60"E Weather Station Code   GMXX0040
 +
 +------------------------------------------------------------------------------------------------------
 + edgardo484 Nicky Blyrd john@accordionman.us user
 + elenor656 Dick Borman john@accordioman.us user
 + elvina688 Lovella Diaz ukseopro1@gmail.com user
 + fausto613 Ilana Solorzano d9WBYWTj@gmail.com user
 + felix77 Lavonda Tarbox wiki@bwmovies.com user
 + gabriel689 Kelvin Coffey 3xOa73sN@gmail.com user
 + gina54 Nichol Blackford VilmaWigren22207@hotmail.com user
 + helena436 Celeste Bracken luuknvm@gmail.com user
 +  hobert983 Fidel Foxx john@accordionman.us user
 + idalia456 Winston Harwell arunn.wikirobot@gmail.com user
 + janette647 Nettie Raper tRVdQOTt@gmail.com user
 +------------------------------------------------------------------------------------------------------
 +        jennie271 Candida Chewning SFmknfjM@gmail.com user
 + 
 +        User name : jennie271
 +        Full name : Candida Chewning
 +        E-mail : SFmknfjM@gmail.com
 +
 +        Date : 2012/11/05 02:11
 +        Browser :
 +        IP-Address : 91.198.94.213
 +        Hostname : 91.198.94.213
 +------------------------------------------------------------------------------------------------------
 +
 +        kitty989 Gemma Berg rabindbois@msn.com user
 + loriann753 Nathanial Saunders hS8VDwR0@mailinator.com user
 + luanne468 Tamra Dunne johnsmith15589@hotmail.com user
 + melinda897 Ashley Shoemaker yoMjw4th@gmail.com user
 + nakita42 Anisha Delafuente 9ZhQLWyu@gmail.com user
 +
 +------------------------------------------------------------------------------------------------------
 + ocie183 Esta Stroud kelvin.thomas123@hotmail.com user
 +        User name : ocie183
 +        Full name : Esta Stroud
 +        E-mail : kelvin.thomas123@hotmail.com
 +
 +        Date : 2012/11/05 03:03
 +        Browser :
 +        IP-Address : 123.236.97.93
 +        Hostname : 123.236.97.93
 +------------------------------------------------------------------------------------------------------
 + patricia674 Isabel Simoneaux helmetbonsai1@hotmail.com user
 + peter329 Zora Lohman nowfor3@gmail.com user
 + rashida998 Kaila Vue alexa@accordionman.us user
 + rosella719 Adah Salgado muhamadsatria17@gmail.com user
 + samara98 Hana Scholl LorrianeZackary5@aol.com user
 + sari277 Arletha Lakey americakane53@aol.com user
 + talia389 Elina Lampkin robertcress57nk@gmail.com user
 + zackbyrnes64220 Zack Byrnes ZackByrnes642@live.com user
 +</code>
 +
 +
 +====== Code embedded in links on the following pages ======
 +
 +There is a need to investigate code behind every single link embedded within to figure out precisely what companies are involved so that we can put the method of illegal link farming / blackhat SEO in front of them. 
 +
 +Here is a list of pages that I can see, have been created by rogue users - I will/have created a "copy" of the pages in text form using the **<code>** encapsulation of a copy of the text within the particular page txt file.
 +
 +How to quarantine properly is a matter for discussion. 
 +
 +Pages marked with * are now in **<code>** form
 +
 +<code>
 +01) fabrication_de_pellets_de_bois_din_avec_des_machines_oliotechnology.txt · Last modified: 2012/10/24 12:32 by kitty989 *
 +02) a_testing_posting_about_google.txt · Last modified: 2012/11/01 15:35 by boyd967 *
 +03) convenient_plans_of_school_management_system_-_straightforward_advice.txt · Last modified: 2012/10/13 03:30 by idalia456 *
 +04) hiring_a_wedding_photographer.txt · Last modified: 2012/10/21 15:18 by peter329 *
 +05) kaos_distro.txt · Last modified: 2012/10/23 09:21 by rosella71 *
 +06) list_building_bulletin_want_to_learn_how_to_list_build_easy.txt · Last modified: 2012/10/28 07:25 by helena436 *
 +07) pregnancy_miracle.txt · Last modified: 2012/10/26 14:05 by atrufiar *
 +08) satellite_direct_-_an_honest_review.txt · Last modified: 2012/10/12 13:56 by edgardo484 *
 +09) satellite_direct_-_learn_how_to_get_thousand_of_satellite_programs.txt · Last modified: 2012/10/17 11:57 by rashida998 *
 +10) satellite_direct_-_learn_how_to_get_thousand_of_satellite_programs_on_your_home.txt · Last modified: 2012/10/24 04:47 by christal582 *
 +11) testing_123_lalala.txt · Last modified: 2012/10/12 13:04 by daniell795 *
 +12) the_problem_of_snoring.txt · Last modified: 2012/10/15 13:59 by sari277 *
 +13) what_is_the_most_popular_protein_powder_on_the_market.txt · Last modified: 2012/10/17 17:16 by luanne468 *
 +</code>
 +====== Useful tools for an investigation ======
 +
 +On your webserver go to your pages directory:
 +
 +A simple check would be doing an **ls * > page_overview.txt** to get a text file containing pages in your wiki.
 +
 +This text can then be used to weed out the first anomalies - i.e. pages you know for sure you did not create.
 +
 +The proper way to do it would be checking every single file on your web server system, against a check sum and do a compare between what is supposed to be on your disk (a snapshot of files and checksums) and what is actually there - an alarm needs to "ring if there are unexplainable differences.
 +
 +I would think a script in Linux should be able to do the above if glued together properly.
 +
 +But preferably a framework that does this needs to be found and implemented, or developed and implemented - There you go I said it. now you can't go and patent it! Prior Art :)
 +
 +http://iplocationtools.com - will possibly allow you to possibly unveil information on the IP adresses that have created accounts - sent mail etc. Finding the location of an IP address does not imply that you have the guilty party, it merely gives you an indication of where an IP address comes from. It could be a normal person who unwittingly has been compromised and had his/her system breached, thus providing a safe haven for a SPAMMER/CYBER CRIMINAL 
 +
 +Investigation is meticolous work, however a tool like this can come in useful when investigating things in cyberspace.