[geeklog-devel] geeklog wiki overrun with spam bots

Dan Stoner danstoner at gmail.com
Sat Dec 27 08:56:16 EST 2025 

Merry Christmas!


The geeklog wiki is back online.

http://wiki.geeklog.net


Here is what I did:


1. restored the db from a backup dated 2025-02-02, which is the most recent
backup before the backup size tripled in size.
2. ran some db SQL commands (courtesy of ChatGPT) to try and manually
disable all logins other than 3 admins (Tom, Dirk, myself).

It's a pain.  The old version of mediawiki does not include many of the
bulk maintenance and user management scripts that are available in newer
versions.

I'm not confident of the blocking mechanism (it actually uses the IP Blocks
table).  There isn't an "account enabled" kind of thing in the mediawiki
database schema.


If the spammers come back, the next option is to repeat the process but
make the wiki Read Only for everyone (by setting a value in
LocalSettings.php). That should at least keep the wiki content online for a
while longer.

If the spammers come back again after that, there is obviously some exploit
happening that can only be solved by upgrading/migrating to a current
version of the software stack, in which case I might have to leave the wiki
offline / disabled.

- Dan Stoner


On Wed, Oct 8, 2025 at 10:32 AM Dan Stoner <danstoner at gmail.com> wrote:

> > For spam pages to be added I assume the bots some how hacked into the
> > website since a user account was required to update content?
>
> Could be a number of mechanisms...
>
> 1. weak password on an existing account allowed hacker to use an
> existing account (or an existing account was otherwise compromised
> somehow)
> 2. old mediawiki contained a vulnerability that allowed a remote
> privilege escalation / sql injection attack
> 3. old PHP contained a vulnerability, etc.
>
>
> > It looks like the current version is 1.27.5 from 2016? Is this correct?
> (at
> > least that is what the folder is labeled as)
>
> Yes, that looks like the version.
>
> > Do you know what PHP version etc... you are using on the server to host
> the
> > Media Wiki?
>
> I was using PHP in Docker:
>
> docker.io/bitnami/php-fpm:5.6
>
> - Dan
>
>
>
>
> On Tue, Oct 7, 2025 at 12:06 AM Tom <websitemaster at cogeco.net> wrote:
> >
> > Hey Dan,
> >
> > Yeah that was a while ago... thanks for hosting for so long.
> >
> > I found the backup folder you mentioned.
> >
> > For spam pages to be added I assume the bots some how hacked into the
> > website since a user account was required to update content?
> >
> > It has been a long time since I have used Media Wiki and I never have
> > installed or maintained a website that uses it.
> >
> > Looking at the backups the compressed website files didn't really
> increase
> > in size much but the database sql backup did especially starting in
> March of
> > 2025.
> >
> > Just looking at the backup
> > wiki.geeklog.net
> > Media Wiki 1.27.5
> > https://www.mediawiki.org/wiki/MediaWiki_1.27
> >
> > It looks like the current version is 1.27.5 from 2016? Is this correct?
> (at
> > least that is what the folder is labeled as)
> >
> > Do you know what PHP version etc... you are using on the server to host
> the
> > Media Wiki?
> >
> > BTW for those interested, the latest MediaWiki appears to be 1.44.2.
> >
> > It's too bad we didn't get the Wiki moved over to the Pair server at the
> > time Dan wanted to do it...
> >
> > At this point I am sure it will take a bit of time to upgrade the version
> > and figure out the best way to host it on the Pair server.
> >
> > I hate to not have the wiki up but it's unlikely I will have anytime
> soon to
> > deal with it unless someone else volunteers.
> >
> > Thanks
> >
> > Tom
> >
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: geeklog-devel <geeklog-devel-bounces at lists.geeklog.net> On Behalf
> Of
> > Dan Stoner
> > Sent: October 5, 2025 7:04 PM
> > To: Geeklog Development <geeklog-devel at lists.geeklog.net>
> > Subject: [geeklog-devel] geeklog wiki overrun with spam bots
> >
> > I had to stop the PHP webserver for http://wiki.geeklog.net/.
> >
> > It had been overrun by spam bots generating thousands of pages of
> > content and overloading the VPS server.
> >
> > I think it was 2016 that someone on this list mentioned a migration
> > off my VPS server.
> >
> > I have been periodically sending backups over to a Pair server.
> >
> >
> > Any thoughts on what to do with this situation?
> >
> > - Dan Stoner
> >
> >
> > Sample of the spam page titles...
> >
> >
> +---------------------------------------------------------------------------
> > ------------------------------------------------------------+
> > | page_title
> >                                                                  |
> >
> +---------------------------------------------------------------------------
> > ------------------------------------------------------------+
> > | AFK_Angel_Knights_Free_Currency_Generator_2025_Real_Working_New_Method
> >                                                                |
> > | AFK_Angel_Knights_Hack_Latest_Version_2025_New_Currency_(Unique)
> >                                                                  |
> > |
> >
> AFK_Arena_Cheats_Unlimited_Diamonds_Gold_IOS_Android_No_Survey_2025_(FREE_ME
> > THOD)
> >                                                     |
> > | AFK_Arena_Hack_-_Generator_Android_And_Ios_Running_Method
> >                                                                  |
> > |
> AFK_Dungeon_Idle_Action_RPG_Hack_Tool_Money_Generator_Cheats_(Ios_Android)
> >                                                            |
> > | AFK_Journey_Diamonds_2025_New_Working_Generator_(New_Method!)
> >                                                                  |
> > | AFK_Journey_Gold_Generator_IOS_Android_No_Survey_2025_(NEW_STRATEGY)
> >                                                                  |
> > |
> >
> AFK_Magic_TD_Unlimited_Currency_Generator_IOS_Android_No_Survey_2025_(Reedem
> > _Today)
> >                                                   |
> > |
> >
> AFK_Three_Kingdoms_Hack_Unlimited_Gold_IOS_And_Android_No_Survey_2025_(free!
> > !)
> >                                                        |
> > |
> >
> ANGELICA_ASTER_Hack_-_Get_Free_ANGELICA_ASTER_Currency_Generator_2025_(Brand
> > _New)
> >                                                     |
> > ...
> >
> >            |
> > | Zoo_Craft_Cheats_For_Money_Generator_No_Survey_(Unlimited-free)
> >
> >                  |
> > | Zoo_Craft_Gold_Coins_2025_for_Android_iOS_(UPDATED_GENERATOR)
> >
> >                  |
> > |
> >
> Zoo_Island_Unlimited_Gold_Coins_Generator_No_Jailbreak_or_Root_(Premium_Orgi
> > nal)
> >
> >      |
> > |
> Zoo_Life_Animal_Park_Game_Cheats_Money_IOS_Android_2025_(Money_Strategy)
> >
> >              |
> > |
> Zoo_Match_Cheats_Coins_Diamonds_IOS_Android_2025_(Coins_Diamonds_Strategy)
> >
> >            |
> > | Zoo_Park_Story_Free_Cash_Points_Generator_Fully_Works_No_Survey_Cheats
> >
> >                |
> > |
> >
> Zooba_Fun_Battle_Royale_Games_Hack_-_Get_Free_Zooba_Fun_Battle_Royale_Games_
> > Currency_Generator_2025_(Brand_New)
> >                                              |
> > | Zooba_Fun_Shooting_Battle_2025_Working_(Money_Generator)
> >
> >                  |
> > _______________________________________________
> > geeklog-devel mailing list
> > geeklog-devel at lists.geeklog.net
> > https://pairlist8.pair.net/mailman/listinfo/geeklog-devel
> >
> >
> > _______________________________________________
> > geeklog-devel mailing list
> > geeklog-devel at lists.geeklog.net
> > https://pairlist8.pair.net/mailman/listinfo/geeklog-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20251227/82f1443d/attachment.htm>

More information about the geeklog-devel mailing list