[SAC] CASE2: human spammer tried to obtain mantra (and failed)

strk · May 18, 2016, 1:23pm

A user with nick name "yousufmallick" joined #osgeo IRC channel
and asked for the mantra:

< yousufmallick> hello
< yousufmallick> can you please help me with the mantra

Norman Vine figured the user was coming from a suspicious IP,
so I gave him the wrong mantra. After some minutes a new user
with nick name "amber_" joined #telascience IRC channel

< amber_> hello
< amber_> can anyone help me with mantra

At the time both users were connected with the two different nicks.
Both connected via the freenode webchat application, connected
with an HTTP client from IP 103.38.177.2

NO such IP hit the user creation form in the recent days.
The last POST from that IP was on May 5:

103.38.177.2 - - [05/May/2016:12:47:00 -0700] "POST /ossim/wiki/USA%201*800*445*2790!!!%20norton%20a ntivirus%20t.e.c.h%20s.u.p.p.o.r.t%20p.h.o.n.e%20n.u.m.b.e.r HTTP/1.1" 303 789

We had a chat with the guy, to try at getting more info out.
It didn't look like a bot to me, confirming the previous analisys
about the captcha not having an effect. An extract:

      < strk> amber_: what do you need an OSGeo Userid for ?
      < amber_> i want to post my conten
      < strk> what content ?
      < amber_> מאַנטראַ al ++ 1.800..445..2790 us uk canada t.ech s.up.p.or.t p.h.one n.u.m.be.r, bullguard p.h.one n.u.m.be.r

I think Mateusz has a full log of the chat, if someone is interested from
a sociological point of view

Mantra-based keeps working !

--strk;

strk · May 18, 2016, 1:55pm

An ERRATA

On Wed, May 18, 2016 at 03:23:20PM +0200, Sandro Santilli wrote:

NO such IP hit the user creation form in the recent days.

I was only looking at the trac logs, the web logs do actually
contain traces of the guy trying to register:

103.38.177.2 - - [17/May/2016:11:51:42 -0700] "POST /cgi-bin/ldap_create_user.py HTTP/1.1" 200 949 "https://www.osgeo.org/cgi-bin/ldap_create_user.py" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 OPR/37.0.2178.43"
103.38.177.2 - - [17/May/2016:11:52:13 -0700] "POST /cgi-bin/ldap_create_user.py HTTP/1.1" 200 949 "https://www.osgeo.org/cgi-bin/ldap_create_user.py" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 OPR/37.0.2178.43"
103.38.177.2 - - [17/May/2016:11:52:17 -0700] "POST /cgi-bin/ldap_create_user.py HTTP/1.1" 200 949 "https://www.osgeo.org/cgi-bin/ldap_create_user.py" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 OPR/37.0.2178.43"
103.38.177.2 - - [17/May/2016:11:52:19 -0700] "POST /cgi-bin/ldap_create_user.py HTTP/1.1" 200 949 "https://www.osgeo.org/cgi-bin/ldap_create_user.py" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36 OPR/37.0.2178.43"

And his IP being blocked for one hour after that:

2016-05-17 11:52:30,335 fail2ban.actions: WARNING [osgeo-ldap-create-toomany] Ban 103.38.177.2
2016-05-17 12:52:30,919 fail2ban.actions: WARNING [osgeo-ldap-create-toomany] Unban 103.38.177.2

--strk;