[SAC] CASE1: registered (passing captcha), authenticated and spammed

Sandro Santilli strk at keybit.net
Mon May 9 11:43:27 PDT 2016 

On Mon, May 09, 2016 at 08:25:49PM +0200, Sandro Santilli wrote:
> As I've been watching this going on, this happened today:
> 
>  - 14:44:09 UTC -- user ct7316944 created in LDAP (solving captcha)
>   
>     # ct7316944, People, osgeo.org
>     dn: uid=ct7316944,ou=People,dc=osgeo,dc=org
>     createTimestamp: 20160509144409Z

Adding the ldap_create_user.py side:

  - 14:44:09 UTC -- the user creation form was POSTed

     # NOTE: 07:44:09 is "web" timezone which is PDT
     115.160.250.35 - - [09/May/2016:07:44:09 -0700] "POST /cgi-bin/ldap_create_user.py HTTP/1.1" 200 517 "https://www.osgeo.org/cgi-bin/ldap_create_user.py" "Mozilla/5.0 (Windows NT 6.1; rv:46.0) Gecko/20100101 Firefox/46.0"

Note the IP is the same that will post the spam 3 and an half hours
later (115.160.250.35). It happears in the apache access log for
www.osgeo.org only 7 times, 3 of those are POSTs to the user creation
form and one is even a GET to /osgeo_userid/, even if with a different
user agent.

>  - 18:04:38 UTC -- user ct7316944 authenticated (BIND)
>   
>    # NOTE: 11:04:38 is "secure" timezone which is PDT
>    May  9 11:04:38 secure slapd[6418]: conn=51060 op=2 BIND dn="uid=ct7316944,ou=People,dc=osgeo,dc=org" mech=SIMPLE ssf=0
>   
>  - 18:07:17 UTC -- user ct7316944 created a spam page in ossim
>   
>    # NOTE: 11:07:17 is "tracsvn" timezone which is PDT
>    115.160.250.35 - - [09/May/2016:11:07:17 -0700] "POST /ossim/wiki/NEW%20YORK%20LIVE%2B%E2%88%91%E2%84%A2%2B1877-698-2249%20HP%20PRINTER%20support%20Phone%20Number%20USA%20HP%20PRINTER%20customer%20care%2C%20service%20phone%20number%20*CANADA HTTP/1.1" 303 869
>   
>    trac_ossim=# select author,name from wiki order by time desc limit 1;
>      author   | name
>    -----------+---------------------------------------------------------------------------------------------------------------------------
>     ct7316944 | NEW YORK LIVE+∑™+1877-698-2249 HP PRINTER support Phone Number USA HP PRINTER customer care, service phone number *CANADA
>    (1 row)
> 
> No other writes from this user in any of the trac instances.
> The registered email is: ct7316944 at gmail.com
> The trac spam IP is 115.160.250.35
> 
> The IP was banned between 15:16 and 15:26 UTC due to a failed attempt
> to login in proj4js trac, in what looks like an referer-spam attack
> (sic!):
> 
>  [Mon May 09 08:16:20 2016] [error] [client 115.160.250.35] user 8004392949 not found: /proj4js/login, referer: https://trac.osgeo.org/proj4js/wiki/USA$$U$$******I8447788603%20**********brother%20p.r.i.n.t.e.r%20t.e.c.h%20s.u.p.p.o.r.t%20p.h.o.n.e%20n.u.m.b.e.r%20u.s.a.%20C.a.l.l
> 
> The ban log:
> 
>  2016-05-09 08:16:20,549 fail2ban.actions: WARNING [osgeo-trac-auth] Ban 115.160.250.35
>  2016-05-09 08:26:21,402 fail2ban.actions: WARNING [osgeo-trac-auth] Unban 115.160.250.35
> 
> --strk;

More information about the Sac mailing list