[geeklog-devel] geeklog wiki overrun with spam bots
Tom
websitemaster at cogeco.net
Mon Dec 29 09:38:10 EST 2025
Thanks Dan,
I appreciate the work you did getting the wiki back online.
Tom
From: geeklog-devel <geeklog-devel-bounces at lists.geeklog.net> On Behalf Of Dan Stoner
Sent: December 27, 2025 8:56 AM
To: Geeklog Development <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] geeklog wiki overrun with spam bots
Merry Christmas!
The geeklog wiki is back online.
http://wiki.geeklog.net
Here is what I did:
1. restored the db from a backup dated 2025-02-02, which is the most recent backup before the backup size tripled in size.
2. ran some db SQL commands (courtesy of ChatGPT) to try and manually disable all logins other than 3 admins (Tom, Dirk, myself).
It's a pain. The old version of mediawiki does not include many of the bulk maintenance and user management scripts that are available in newer versions.
I'm not confident of the blocking mechanism (it actually uses the IP Blocks table). There isn't an "account enabled" kind of thing in the mediawiki database schema.
If the spammers come back, the next option is to repeat the process but make the wiki Read Only for everyone (by setting a value in LocalSettings.php). That should at least keep the wiki content online for a while longer.
If the spammers come back again after that, there is obviously some exploit happening that can only be solved by upgrading/migrating to a current version of the software stack, in which case I might have to leave the wiki offline / disabled.
- Dan Stoner
On Wed, Oct 8, 2025 at 10:32 AM Dan Stoner <danstoner at gmail.com <mailto:danstoner at gmail.com> > wrote:
> For spam pages to be added I assume the bots some how hacked into the
> website since a user account was required to update content?
Could be a number of mechanisms...
1. weak password on an existing account allowed hacker to use an
existing account (or an existing account was otherwise compromised
somehow)
2. old mediawiki contained a vulnerability that allowed a remote
privilege escalation / sql injection attack
3. old PHP contained a vulnerability, etc.
> It looks like the current version is 1.27.5 from 2016? Is this correct? (at
> least that is what the folder is labeled as)
Yes, that looks like the version.
> Do you know what PHP version etc... you are using on the server to host the
> Media Wiki?
I was using PHP in Docker:
docker.io/bitnami/php-fpm:5.6 <http://docker.io/bitnami/php-fpm:5.6>
- Dan
On Tue, Oct 7, 2025 at 12:06 AM Tom <websitemaster at cogeco.net <mailto:websitemaster at cogeco.net> > wrote:
>
> Hey Dan,
>
> Yeah that was a while ago... thanks for hosting for so long.
>
> I found the backup folder you mentioned.
>
> For spam pages to be added I assume the bots some how hacked into the
> website since a user account was required to update content?
>
> It has been a long time since I have used Media Wiki and I never have
> installed or maintained a website that uses it.
>
> Looking at the backups the compressed website files didn't really increase
> in size much but the database sql backup did especially starting in March of
> 2025.
>
> Just looking at the backup
> wiki.geeklog.net <http://wiki.geeklog.net>
> Media Wiki 1.27.5
> https://www.mediawiki.org/wiki/MediaWiki_1.27
>
> It looks like the current version is 1.27.5 from 2016? Is this correct? (at
> least that is what the folder is labeled as)
>
> Do you know what PHP version etc... you are using on the server to host the
> Media Wiki?
>
> BTW for those interested, the latest MediaWiki appears to be 1.44.2.
>
> It's too bad we didn't get the Wiki moved over to the Pair server at the
> time Dan wanted to do it...
>
> At this point I am sure it will take a bit of time to upgrade the version
> and figure out the best way to host it on the Pair server.
>
> I hate to not have the wiki up but it's unlikely I will have anytime soon to
> deal with it unless someone else volunteers.
>
> Thanks
>
> Tom
>
>
>
>
>
>
> -----Original Message-----
> From: geeklog-devel <geeklog-devel-bounces at lists.geeklog.net <mailto:geeklog-devel-bounces at lists.geeklog.net> > On Behalf Of
> Dan Stoner
> Sent: October 5, 2025 7:04 PM
> To: Geeklog Development <geeklog-devel at lists.geeklog.net <mailto:geeklog-devel at lists.geeklog.net> >
> Subject: [geeklog-devel] geeklog wiki overrun with spam bots
>
> I had to stop the PHP webserver for http://wiki.geeklog.net/.
>
> It had been overrun by spam bots generating thousands of pages of
> content and overloading the VPS server.
>
> I think it was 2016 that someone on this list mentioned a migration
> off my VPS server.
>
> I have been periodically sending backups over to a Pair server.
>
>
> Any thoughts on what to do with this situation?
>
> - Dan Stoner
>
>
> Sample of the spam page titles...
>
> +---------------------------------------------------------------------------
> ------------------------------------------------------------+
> | page_title
> |
> +---------------------------------------------------------------------------
> ------------------------------------------------------------+
> | AFK_Angel_Knights_Free_Currency_Generator_2025_Real_Working_New_Method
> |
> | AFK_Angel_Knights_Hack_Latest_Version_2025_New_Currency_(Unique)
> |
> |
> AFK_Arena_Cheats_Unlimited_Diamonds_Gold_IOS_Android_No_Survey_2025_(FREE_ME
> THOD)
> |
> | AFK_Arena_Hack_-_Generator_Android_And_Ios_Running_Method
> |
> | AFK_Dungeon_Idle_Action_RPG_Hack_Tool_Money_Generator_Cheats_(Ios_Android)
> |
> | AFK_Journey_Diamonds_2025_New_Working_Generator_(New_Method!)
> |
> | AFK_Journey_Gold_Generator_IOS_Android_No_Survey_2025_(NEW_STRATEGY)
> |
> |
> AFK_Magic_TD_Unlimited_Currency_Generator_IOS_Android_No_Survey_2025_(Reedem
> _Today)
> |
> |
> AFK_Three_Kingdoms_Hack_Unlimited_Gold_IOS_And_Android_No_Survey_2025_(free!
> !)
> |
> |
> ANGELICA_ASTER_Hack_-_Get_Free_ANGELICA_ASTER_Currency_Generator_2025_(Brand
> _New)
> |
> ...
>
> |
> | Zoo_Craft_Cheats_For_Money_Generator_No_Survey_(Unlimited-free)
>
> |
> | Zoo_Craft_Gold_Coins_2025_for_Android_iOS_(UPDATED_GENERATOR)
>
> |
> |
> Zoo_Island_Unlimited_Gold_Coins_Generator_No_Jailbreak_or_Root_(Premium_Orgi
> nal)
>
> |
> | Zoo_Life_Animal_Park_Game_Cheats_Money_IOS_Android_2025_(Money_Strategy)
>
> |
> | Zoo_Match_Cheats_Coins_Diamonds_IOS_Android_2025_(Coins_Diamonds_Strategy)
>
> |
> | Zoo_Park_Story_Free_Cash_Points_Generator_Fully_Works_No_Survey_Cheats
>
> |
> |
> Zooba_Fun_Battle_Royale_Games_Hack_-_Get_Free_Zooba_Fun_Battle_Royale_Games_
> Currency_Generator_2025_(Brand_New)
> |
> | Zooba_Fun_Shooting_Battle_2025_Working_(Money_Generator)
>
> |
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net <mailto:geeklog-devel at lists.geeklog.net>
> https://pairlist8.pair.net/mailman/listinfo/geeklog-devel
>
>
> _______________________________________________
> geeklog-devel mailing list
> geeklog-devel at lists.geeklog.net <mailto:geeklog-devel at lists.geeklog.net>
> https://pairlist8.pair.net/mailman/listinfo/geeklog-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist8.pair.net/pipermail/geeklog-devel/attachments/20251229/85e6b5a0/attachment.htm>
More information about the geeklog-devel
mailing list