Notes about what to do about vandals that vandalize ("hack") a site
Sometimes people vandalize a site (they think they are "hacking" it)... this page is for adding notes about the issue, and possible countermeasures.
Here's a good description of the situation (from Crisses to Christian):
- Hacking an open-edit wiki is a non-event, so I don't see why crackers would bother....it's not like they had to take it over with a password or something. One claimed the site was now taken over by them and they owned it, but that hasn't happened again by that person since. They're just having their version of fun and self-promotion...and seriously need a dollar to buy either a clue or a life.
Message from Christian to user's list:
- Twice the site I was working with has been "attacked", i.e. some bozo modified a page and put a rant on it (against the US). Has anyone else experienced this?
I am not sure if it's a person that's done it by hand, or if it's a script (although I would have expected many more pages then). [snip]
Tip: If you are worried that other pages have been hacked, try searching your site for words that appeared in the "hacked" page. The vandals are often nice and "sign" their work (e.g. "HACKED BY...", so that's quite easy).
Note: When I created this page, PmWiki/InterMap and PmWiki/PageRevisions had been "hacked" by someone adding a signature at the bottom. Here's a command for searching for the text hacked by: ThisPage:?action=search&text=%22hacked+by%22 /Christian
One suggestion (from Pedro) is to try and log the IP of the offender and then ban that. He gave me a tip on how to log the IP of edits in RecentChanges.
Add the following to your
config.php and RecentChanges will include the IP address of the edit, as well as a direct link to each history page:
$RemoteAddr = $_SERVER["REMOTE_ADDR"]; $RecentChanges = array( 'Main.AllRecentChanges'=>'* $Group.$Tlink [[ThisWiki:$Group.$Tlink?action=diff (diff)]] . . . $CurrentTime by $AuthorLink ($RemoteAddr)', '$Group.RecentChanges'=>'* $Group/$Tlink [[ThisWiki:$Group.$Tlink?action=diff (diff)]]. . . $CurrentTime by $AuthorLink ($RemoteAddr)');
Tip (from e-mail Christian got by Crisses): The worst hack they suffered was when someone linked in an external picture. Their solution is to have the wiki notify you when pages change (only good for slow sites), and look at what happens:
- Since I have my wiki set to notify me when there's changes to pages, and my site changes pretty slowly, I am able to personally glance at anything new (I go to the "All Recent Pages" for the whole site, select the ones since I last looked, and if the changes aren't obvious, I check the page revisions for the latest alterations to the page). This has been working for me. Hacks remain posted for, at most, a few hours...i generally check my email frequently. The most disturbing hack was the one with the picture. I suggest that people enable the email notifications to at least one person for their site, or perhaps to the head person of each area, so that these things will be spotted relatively swiftly. Most of the time my site isn't messed with, so I haven't made the entire site password protected.
Please list hacks you've seen (without including their links) and information so that it's easier to spot them:
- One of the most subtle hacks I've seen is a link which appears as a linked underscore _ character in the text. This one was part of a schlew of "rape porn" links on my website. Searching on "rape porn" will find pages where both words occur which is helpful, or one can regex something to search for the text occurring at once. The linked underscore was found by a normal search for occurances of both words: the words were each contained separately in the outside link. -- Crisses
- In the picture hack mentioned above, the picture was on an outside site: the way that PmWiki works for pictures is that it automatically displays pictures from other servers/sites as if it owns them. Maybe there's a way to disable this? -- Crisses
- do you want it to disable all pictures, or just pictures that come from non-approved sites? --Pm
- This isn't really a hack, but if an author is set when posting, the IP address isn't shown for that edit in the Page History view. It's still shown in RecentChanges, but that's still kind of annoying. --Ari
- Someone posted [[http://www.zw88.com/$somefile .]], where $somefile is sms, paopaotang.htm etc., throughout http://www.pmwiki.org. Because the link is only a point it's quite hard to spot. I deleted those that I found via Main.SearchWiki. --thom
- Last two or three days I suffered so badly from a spammer (1 or 2 times a day and anoyingly he preffered groupheaders and sidebars which messed up the whole layout) that I've decided to write the BlackList extension to reject changes that include one of his links. If you want to know which ones, download the blacklist.zip file which includes them all, plus the asian characters he used to describe them. He wasn't hard to spot at all - he posted all the 40 links in one piece. --zet
- I get more and more attacks of spam-bots. They change many sites to chinese language spam. Also i get an bot that posts a lot of medicine links.
It could be easely prevented by putting in an image and force the editor to type numbers and chars from that image in order to send the edit. Just like so many sites do it. This would be solving a lot of problems. Anyone can tell me how to do so ? Ryo
PmWiki.Security lists the different tools an administrator can use to protect the wiki against vandalism.
- RestrictingEdits -- If you repeatedly have an IP or two causing trouble on your wiki, you could block them, or allow only edits from within your organization.
from IP: 22.214.171.124 ip should be disabled by default for security reasons