User Tools

Site Tools


rogue_users_creating_pages

Cyber criminals misusing other peoples websites

The following is an overview and a list of people/identities/IP's who are either cyber criminals who have been trying to misuse my websites for SEO SPAMMING purposes and possibly other stuff as well as possibly IP's or people that have been misused as address holders for SPAMMERS and other cyber criminals.

The addresses here could be people who could be innocent and the companies listed may not be aware that SPAMMERS are using such methods to artificially boosting SEO results.

However this is so serious and unfortunately not the first time someone is trying to make it impossible for me to conduct business on the Internet.

The last time something similar happened, instead of finishing coding my free application for people suffering from Aphasia, MS, ALS, Cerebral Palsy and other disabilities, I had to spend my entire holiday otherwise set aside for this cause to clean up in the mess that some cyber criminals had done to my pages.

In an ironic twist of fate now precisely the same thing is happening again when I am attempting to launch a unique fund raiser for a notable cancer charity in the spirit of Movember.

Either way - Please assist me in tracking down the individuals behind these pseudonyms IP's and email addresses and help me in contacting the companies as well and have them take action against those people who have possibly and quite probably fraudlently, sold their SEO boosting services to them, for they are in a way victims as well if they are not in the know of said methods.

Help me in this endeavour, so that we can clean up the web and weed out those that have no purpose other than to leach on the works of others and who actively in doing so thwart efforts aimed, at making the lives of other people better and more enjoyable.

I hope this list will not continue to grow and hope you will assist me in finding out who these people are so we can make it stop.

I will try to be listing the findings of the investigation as I see appropriate.

Measures to take

The first time it happened I was in a state of should I say panic, I removed files - set up temporary index files and meticolously scanned each and every file as the automated backups done by the provider unfortunately were also tainted to a degree that I basically had to start from scratch.

This time around I have tried to block user creation etc. and hopefully tightening security enough on the installation enough to prevent any further privilege escalations.

I am considering abandoning altogether the wiki structure altogether and making my own page generation tool in HTML - but it seems like a very drastic move.

Disable DokuWiki actions:

There are a slew of recommendations from the Dokuwiki team - but here are a couple that were not set by default, probably as it kinda defeats the purpose of the wiki concept as a collaborative tool.

Register - To prevent new users from being created

Update Profile - To prevent the people from changing their details to avoid detection etc.

Contact

Contacted Google: http://support.google.com/mail/bin/request.py?&contact_type=abuse

I am in the discovery process at the moment but during this investigation I will be, where I deem it appropriate be trying to contact companies who have been involved. They are also welcome to contact me.

I will likely be contacting law enforcement agencies in the countries where said pages and users/IP's are registered (block wise) so that they can take action if they deem it is possible and needed.

I will be contacting security specialists and try to list some strategies on how to avoid these kind of problems in the future.

The ISP's behind the IP addresses, the ISP behind the email addresses, as well as the hosting companies behind the companies.

It might be possible to shut the companies down that hire blackhat's to boost their marketing unless they are willing to engage in legal actions against the cybercriminals that have been working for them also it might be possible to have the ISP's blacklisted who are allowing their users to perpetrate such acts, that is if the ISP's do not take legal action against these people.

Usernames, IP, email addresses and pages

Usernames, IP, email addresses and pages involved in the misuse of my page

rashida998 - SPAMMER, misuse of wiki on behalf of http://satellitedirectreviewsy.com/

a_testing_posting_about_google

effortless_advice_in_school_administration_software_-_some_thoughts

------------------------------------------------------------------------------------------------------	
 	antoine335 	Clayton Lenihan	clerk0bolt@yahoo.co.uk	user
        User name : antoine335
        Full name : Clayton Lenihan
        E-mail : clerk0bolt@yahoo.co.uk

        Date : 2012/11/04 16:02
        Browser :
        IP-Address : 78.87.104.208
        Hostname : 78-104-208.adsl.cyta.gr
------------------------------------------------------------------------------------------------------	
	atrufiar 	sergio alexandre	atrufiar@gmail.com	user
	beulah957 	Earnest Coronel	silveracoree@gmail.com	user
	boyd967 	Deneen Harte	john@accordionman.us	user
	chong661 	Mammie Willson	hS8VDwR0@mailinator.com	user
	christal125 	Alva Doggett	Crw2WLwU@gmail.com	user
	christal582 	Earlean Vandeusen	john@accordionman.us	user
	claud773 	Dana Willson	aD2okF4s@gmail.com	user
	daniell795 	Vina Fellows	john@accordionman.us	user
	dennis148 	Roxann Sadler	radikal@mail333.com	user
------------------------------------------------------------------------------------------------------	
User name : dennis148
Full name : Roxann Sadler
E-mail : radikal@mail333.com

Date : 2012/11/04 07:28
Browser :
IP-Address : 212.255.247.249
Hostname : 212.255.247.249

The following information on the IP was found via tools - it does not prove guilt by association, 
it merely shows us potentially where the user came from when the user was made - However it is 
possible to spoof IP addresses etc. so further investigation is needed and this might be the address 
of an unknowing victim who has had his home system hacked and is unwittingly providing the 
SPAMMER/CYBERCRIMINAL with a "safe haven" from which to operate.

LOCATION INFORMATION:
IP Address 	  	212.255.247.249     Area Code 	  	-
Country Code 	  	DE 	  	    IDD Code 	  	49
Country Name 	  	Germany Germany     Time Zone 	  	+01:00
Region 	  	        Hessen 	  	    ISP 	  	Ecotel Intern - Sba Platforms
City 	  	        Frankfurt Am Main   Domain 	  	-
Connection Type 	DSL
Coordinates 	  	Google Map 50°7'0"N   8°40'60"E 	Weather Station Code 	  	GMXX0040

------------------------------------------------------------------------------------------------------	
	edgardo484 	Nicky Blyrd	john@accordionman.us	user
	elenor656 	Dick Borman	john@accordioman.us	user
	elvina688 	Lovella Diaz	ukseopro1@gmail.com	user
	fausto613 	Ilana Solorzano	d9WBYWTj@gmail.com	user
	felix77 	Lavonda Tarbox	wiki@bwmovies.com	user
	gabriel689 	Kelvin Coffey	3xOa73sN@gmail.com	user
	gina54 	Nichol Blackford	VilmaWigren22207@hotmail.com	user
	helena436 	Celeste Bracken	luuknvm@gmail.com	user
 	hobert983 	Fidel Foxx	john@accordionman.us	user
	idalia456 	Winston Harwell	arunn.wikirobot@gmail.com	user
	janette647 	Nettie Raper	tRVdQOTt@gmail.com	user
------------------------------------------------------------------------------------------------------	
        jennie271 	Candida Chewning	SFmknfjM@gmail.com	user
 	
        User name : jennie271
        Full name : Candida Chewning
        E-mail : SFmknfjM@gmail.com

        Date : 2012/11/05 02:11
        Browser :
        IP-Address : 91.198.94.213
        Hostname : 91.198.94.213
------------------------------------------------------------------------------------------------------

        kitty989 	Gemma Berg	rabindbois@msn.com	user
	loriann753 	Nathanial Saunders	hS8VDwR0@mailinator.com	user
	luanne468 	Tamra Dunne	johnsmith15589@hotmail.com	user
	melinda897 	Ashley Shoemaker	yoMjw4th@gmail.com	user
	nakita42 	Anisha Delafuente	9ZhQLWyu@gmail.com	user

------------------------------------------------------------------------------------------------------
	ocie183 	Esta Stroud	kelvin.thomas123@hotmail.com	user
        User name : ocie183
        Full name : Esta Stroud
        E-mail : kelvin.thomas123@hotmail.com

        Date : 2012/11/05 03:03
        Browser :
        IP-Address : 123.236.97.93
        Hostname : 123.236.97.93
------------------------------------------------------------------------------------------------------
	patricia674 	Isabel Simoneaux	helmetbonsai1@hotmail.com	user
	peter329 	Zora Lohman	nowfor3@gmail.com	user
	rashida998 	Kaila Vue	alexa@accordionman.us	user
	rosella719 	Adah Salgado	muhamadsatria17@gmail.com	user
	samara98 	Hana Scholl	LorrianeZackary5@aol.com	user
	sari277 	Arletha Lakey	americakane53@aol.com	user
	talia389 	Elina Lampkin	robertcress57nk@gmail.com	user
	zackbyrnes64220 	Zack Byrnes	ZackByrnes642@live.com	user

Code embedded in links on the following pages

There is a need to investigate code behind every single link embedded within to figure out precisely what companies are involved so that we can put the method of illegal link farming / blackhat SEO in front of them.

Here is a list of pages that I can see, have been created by rogue users - I will/have created a “copy” of the pages in text form using the <code> encapsulation of a copy of the text within the particular page txt file.

How to quarantine properly is a matter for discussion.

Pages marked with * are now in <code> form

01) fabrication_de_pellets_de_bois_din_avec_des_machines_oliotechnology.txt · Last modified: 2012/10/24 12:32 by kitty989 *
02) a_testing_posting_about_google.txt · Last modified: 2012/11/01 15:35 by boyd967 *
03) convenient_plans_of_school_management_system_-_straightforward_advice.txt · Last modified: 2012/10/13 03:30 by idalia456 *
04) hiring_a_wedding_photographer.txt · Last modified: 2012/10/21 15:18 by peter329 *
05) kaos_distro.txt · Last modified: 2012/10/23 09:21 by rosella71 *
06) list_building_bulletin_want_to_learn_how_to_list_build_easy.txt · Last modified: 2012/10/28 07:25 by helena436 *
07) pregnancy_miracle.txt · Last modified: 2012/10/26 14:05 by atrufiar *
08) satellite_direct_-_an_honest_review.txt · Last modified: 2012/10/12 13:56 by edgardo484 *
09) satellite_direct_-_learn_how_to_get_thousand_of_satellite_programs.txt · Last modified: 2012/10/17 11:57 by rashida998 *
10) satellite_direct_-_learn_how_to_get_thousand_of_satellite_programs_on_your_home.txt · Last modified: 2012/10/24 04:47 by christal582 *
11) testing_123_lalala.txt · Last modified: 2012/10/12 13:04 by daniell795 *
12) the_problem_of_snoring.txt · Last modified: 2012/10/15 13:59 by sari277 *
13) what_is_the_most_popular_protein_powder_on_the_market.txt · Last modified: 2012/10/17 17:16 by luanne468 *

Useful tools for an investigation

On your webserver go to your pages directory:

A simple check would be doing an ls * > page_overview.txt to get a text file containing pages in your wiki.

This text can then be used to weed out the first anomalies - i.e. pages you know for sure you did not create.

The proper way to do it would be checking every single file on your web server system, against a check sum and do a compare between what is supposed to be on your disk (a snapshot of files and checksums) and what is actually there - an alarm needs to “ring if there are unexplainable differences.

I would think a script in Linux should be able to do the above if glued together properly.

But preferably a framework that does this needs to be found and implemented, or developed and implemented - There you go I said it. now you can't go and patent it! Prior Art :)

http://iplocationtools.com - will possibly allow you to possibly unveil information on the IP adresses that have created accounts - sent mail etc. Finding the location of an IP address does not imply that you have the guilty party, it merely gives you an indication of where an IP address comes from. It could be a normal person who unwittingly has been compromised and had his/her system breached, thus providing a safe haven for a SPAMMER/CYBER CRIMINAL

Investigation is meticolous work, however a tool like this can come in useful when investigating things in cyberspace.

rogue_users_creating_pages.txt · Last modified: 2015/04/10 07:32 (external edit)