<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:11.0pt;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=EN-CA link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Thanks Dan,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>I appreciate the work you did getting the wiki back online.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Tom<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> geeklog-devel <geeklog-devel-bounces@lists.geeklog.net> <b>On Behalf Of </b>Dan Stoner<br><b>Sent:</b> December 27, 2025 8:56 AM<br><b>To:</b> Geeklog Development <geeklog-devel@lists.geeklog.net><br><b>Subject:</b> Re: [geeklog-devel] geeklog wiki overrun with spam bots<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Merry Christmas!<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The geeklog wiki is back online.<br><br><a href="http://wiki.geeklog.net">http://wiki.geeklog.net</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Here is what I did:<br><br><o:p></o:p></p></div><div><p class=MsoNormal>1. restored the db from a backup dated 2025-02-02, which is the most recent backup before the backup size tripled in size.<o:p></o:p></p></div><div><p class=MsoNormal>2. ran some db SQL commands (courtesy of ChatGPT) to try and manually disable all logins other than 3 admins (Tom, Dirk, myself).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>It's a pain. The old version of mediawiki does not include many of the bulk maintenance and user management scripts that are available in newer versions.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I'm not confident of the blocking mechanism (it actually uses the IP Blocks table). There isn't an "account enabled" kind of thing in the mediawiki database schema.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If the spammers come back, the next option is to repeat the process but make the wiki Read Only for everyone (by setting a value in LocalSettings.php). That should at least keep the wiki content online for a while longer.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If the spammers come back again after that, there is obviously some exploit happening that can only be solved by upgrading/migrating to a current version of the software stack, in which case I might have to leave the wiki offline / disabled.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>- Dan Stoner<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Wed, Oct 8, 2025 at 10:32<span style='font-family:"Arial",sans-serif'> </span>AM Dan Stoner <<a href="mailto:danstoner@gmail.com">danstoner@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal>> For spam pages to be added I assume the bots some how hacked into the<br>> website since a user account was required to update content?<br><br>Could be a number of mechanisms...<br><br>1. weak password on an existing account allowed hacker to use an<br>existing account (or an existing account was otherwise compromised<br>somehow)<br>2. old mediawiki contained a vulnerability that allowed a remote<br>privilege escalation / sql injection attack<br>3. old PHP contained a vulnerability, etc.<br><br><br>> It looks like the current version is 1.27.5 from 2016? Is this correct? (at<br>> least that is what the folder is labeled as)<br><br>Yes, that looks like the version.<br><br>> Do you know what PHP version etc... you are using on the server to host the<br>> Media Wiki?<br><br>I was using PHP in Docker:<br><br><a href="http://docker.io/bitnami/php-fpm:5.6" target="_blank">docker.io/bitnami/php-fpm:5.6</a><br><br>- Dan<br><br><br><br><br>On Tue, Oct 7, 2025 at 12:06<span style='font-family:"Arial",sans-serif'> </span>AM Tom <<a href="mailto:websitemaster@cogeco.net" target="_blank">websitemaster@cogeco.net</a>> wrote:<br>><br>> Hey Dan,<br>><br>> Yeah that was a while ago... thanks for hosting for so long.<br>><br>> I found the backup folder you mentioned.<br>><br>> For spam pages to be added I assume the bots some how hacked into the<br>> website since a user account was required to update content?<br>><br>> It has been a long time since I have used Media Wiki and I never have<br>> installed or maintained a website that uses it.<br>><br>> Looking at the backups the compressed website files didn't really increase<br>> in size much but the database sql backup did especially starting in March of<br>> 2025.<br>><br>> Just looking at the backup<br>> <a href="http://wiki.geeklog.net" target="_blank">wiki.geeklog.net</a><br>> Media Wiki 1.27.5<br>> <a href="https://www.mediawiki.org/wiki/MediaWiki_1.27" target="_blank">https://www.mediawiki.org/wiki/MediaWiki_1.27</a><br>><br>> It looks like the current version is 1.27.5 from 2016? Is this correct? (at<br>> least that is what the folder is labeled as)<br>><br>> Do you know what PHP version etc... you are using on the server to host the<br>> Media Wiki?<br>><br>> BTW for those interested, the latest MediaWiki appears to be 1.44.2.<br>><br>> It's too bad we didn't get the Wiki moved over to the Pair server at the<br>> time Dan wanted to do it...<br>><br>> At this point I am sure it will take a bit of time to upgrade the version<br>> and figure out the best way to host it on the Pair server.<br>><br>> I hate to not have the wiki up but it's unlikely I will have anytime soon to<br>> deal with it unless someone else volunteers.<br>><br>> Thanks<br>><br>> Tom<br>><br>><br>><br>><br>><br>><br>> -----Original Message-----<br>> From: geeklog-devel <<a href="mailto:geeklog-devel-bounces@lists.geeklog.net" target="_blank">geeklog-devel-bounces@lists.geeklog.net</a>> On Behalf Of<br>> Dan Stoner<br>> Sent: October 5, 2025 7:04 PM<br>> To: Geeklog Development <<a href="mailto:geeklog-devel@lists.geeklog.net" target="_blank">geeklog-devel@lists.geeklog.net</a>><br>> Subject: [geeklog-devel] geeklog wiki overrun with spam bots<br>><br>> I had to stop the PHP webserver for <a href="http://wiki.geeklog.net/" target="_blank">http://wiki.geeklog.net/</a>.<br>><br>> It had been overrun by spam bots generating thousands of pages of<br>> content and overloading the VPS server.<br>><br>> I think it was 2016 that someone on this list mentioned a migration<br>> off my VPS server.<br>><br>> I have been periodically sending backups over to a Pair server.<br>><br>><br>> Any thoughts on what to do with this situation?<br>><br>> - Dan Stoner<br>><br>><br>> Sample of the spam page titles...<br>><br>> +---------------------------------------------------------------------------<br>> ------------------------------------------------------------+<br>> | page_title<br>> |<br>> +---------------------------------------------------------------------------<br>> ------------------------------------------------------------+<br>> | AFK_Angel_Knights_Free_Currency_Generator_2025_Real_Working_New_Method<br>> |<br>> | AFK_Angel_Knights_Hack_Latest_Version_2025_New_Currency_(Unique)<br>> |<br>> |<br>> AFK_Arena_Cheats_Unlimited_Diamonds_Gold_IOS_Android_No_Survey_2025_(FREE_ME<br>> THOD)<br>> |<br>> | AFK_Arena_Hack_-_Generator_Android_And_Ios_Running_Method<br>> |<br>> | AFK_Dungeon_Idle_Action_RPG_Hack_Tool_Money_Generator_Cheats_(Ios_Android)<br>> |<br>> | AFK_Journey_Diamonds_2025_New_Working_Generator_(New_Method!)<br>> |<br>> | AFK_Journey_Gold_Generator_IOS_Android_No_Survey_2025_(NEW_STRATEGY)<br>> |<br>> |<br>> AFK_Magic_TD_Unlimited_Currency_Generator_IOS_Android_No_Survey_2025_(Reedem<br>> _Today)<br>> |<br>> |<br>> AFK_Three_Kingdoms_Hack_Unlimited_Gold_IOS_And_Android_No_Survey_2025_(free!<br>> !)<br>> |<br>> |<br>> ANGELICA_ASTER_Hack_-_Get_Free_ANGELICA_ASTER_Currency_Generator_2025_(Brand<br>> _New)<br>> |<br>> ...<br>><br>> |<br>> | Zoo_Craft_Cheats_For_Money_Generator_No_Survey_(Unlimited-free)<br>><br>> |<br>> | Zoo_Craft_Gold_Coins_2025_for_Android_iOS_(UPDATED_GENERATOR)<br>><br>> |<br>> |<br>> Zoo_Island_Unlimited_Gold_Coins_Generator_No_Jailbreak_or_Root_(Premium_Orgi<br>> nal)<br>><br>> |<br>> | Zoo_Life_Animal_Park_Game_Cheats_Money_IOS_Android_2025_(Money_Strategy)<br>><br>> |<br>> | Zoo_Match_Cheats_Coins_Diamonds_IOS_Android_2025_(Coins_Diamonds_Strategy)<br>><br>> |<br>> | Zoo_Park_Story_Free_Cash_Points_Generator_Fully_Works_No_Survey_Cheats<br>><br>> |<br>> |<br>> Zooba_Fun_Battle_Royale_Games_Hack_-_Get_Free_Zooba_Fun_Battle_Royale_Games_<br>> Currency_Generator_2025_(Brand_New)<br>> |<br>> | Zooba_Fun_Shooting_Battle_2025_Working_(Money_Generator)<br>><br>> |<br>> _______________________________________________<br>> geeklog-devel mailing list<br>> <a href="mailto:geeklog-devel@lists.geeklog.net" target="_blank">geeklog-devel@lists.geeklog.net</a><br>> <a href="https://pairlist8.pair.net/mailman/listinfo/geeklog-devel" target="_blank">https://pairlist8.pair.net/mailman/listinfo/geeklog-devel</a><br>><br>><br>> _______________________________________________<br>> geeklog-devel mailing list<br>> <a href="mailto:geeklog-devel@lists.geeklog.net" target="_blank">geeklog-devel@lists.geeklog.net</a><br>> <a href="https://pairlist8.pair.net/mailman/listinfo/geeklog-devel" target="_blank">https://pairlist8.pair.net/mailman/listinfo/geeklog-devel</a><o:p></o:p></p></blockquote></div></div></body></html>