[SAC] CASE1: registered (passing captcha), authenticated and spammed

Sandro Santilli strk at keybit.net
Mon May 9 11:25:49 PDT 2016 

As I've been watching this going on, this happened today:

 - 14:44:09 UTC -- user ct7316944 created in LDAP (solving captcha)
  
    # ct7316944, People, osgeo.org
    dn: uid=ct7316944,ou=People,dc=osgeo,dc=org
    createTimestamp: 20160509144409Z
  
 - 18:04:38 UTC -- user ct7316944 authenticated (BIND)
  
   # NOTE: 11:04:38 is "secure" timezone which is PDT
   May  9 11:04:38 secure slapd[6418]: conn=51060 op=2 BIND dn="uid=ct7316944,ou=People,dc=osgeo,dc=org" mech=SIMPLE ssf=0
  
 - 18:07:17 UTC -- user ct7316944 created a spam page in ossim
  
   # NOTE: 11:07:17 is "tracsvn" timezone which is PDT
   115.160.250.35 - - [09/May/2016:11:07:17 -0700] "POST /ossim/wiki/NEW%20YORK%20LIVE%2B%E2%88%91%E2%84%A2%2B1877-698-2249%20HP%20PRINTER%20support%20Phone%20Number%20USA%20HP%20PRINTER%20customer%20care%2C%20service%20phone%20number%20*CANADA HTTP/1.1" 303 869
  
   trac_ossim=# select author,name from wiki order by time desc limit 1;
     author   | name
   -----------+---------------------------------------------------------------------------------------------------------------------------
    ct7316944 | NEW YORK LIVE+∑™+1877-698-2249 HP PRINTER support Phone Number USA HP PRINTER customer care, service phone number *CANADA
   (1 row)

No other writes from this user in any of the trac instances.
The registered email is: ct7316944 at gmail.com
The trac spam IP is 115.160.250.35

The IP was banned between 15:16 and 15:26 UTC due to a failed attempt
to login in proj4js trac, in what looks like an referer-spam attack
(sic!):

 [Mon May 09 08:16:20 2016] [error] [client 115.160.250.35] user 8004392949 not found: /proj4js/login, referer: https://trac.osgeo.org/proj4js/wiki/USA$$U$$******I8447788603%20**********brother%20p.r.i.n.t.e.r%20t.e.c.h%20s.u.p.p.o.r.t%20p.h.o.n.e%20n.u.m.b.e.r%20u.s.a.%20C.a.l.l

The ban log:

 2016-05-09 08:16:20,549 fail2ban.actions: WARNING [osgeo-trac-auth] Ban 115.160.250.35
 2016-05-09 08:26:21,402 fail2ban.actions: WARNING [osgeo-trac-auth] Unban 115.160.250.35

--strk;

More information about the Sac mailing list