Becoming the Target of MediaWiki Spambots

Thursday, December 15, 2016 2 minute read

Recently, I installed a MediaWiki instance on a public-facing server. I knew this was a huge security risk, but since it was on a subdomain that nothing linked to, I assumed I'd be fine. I found that I didn't particularly like working with MediaWiki, so I moved on to a different project and pretty much forgot all about it.

A few months later, I was shocked to realize there were nearly 100,000 items in the spam folder for the throwaway email address I set as the admin of the MediaWiki application. The messages were notifications of new pages, new users, new edits, etc. from MediaWiki itself.

The bots had found it, and it was escalating quickly!

A Look at the Traffic

The site got forty hits in September. A little over a hundred in October. Then, it got a shocking 300,000 in November, and - what?! - 4,000,000 hits already in December! They'd transmitted nearly 20 GB of data just in the last week.

The source of the traffic was surprisingly only because it wasn't all from Russia. It was a pretty geographically-diverse botnet, with a surprising percentage coming from the Americas.

I have to admit I was fascinated by how much it seemed to be ramping up. My little shared-hosting MySQL database was 4 GB and growing (sorry, neighbors). They started out small, and when they realized I wasn't moderating their posts, they doubled the resources sent my server every day. The articles were nonsense, with a few innocuous links to dentist offices or ecommerce stores sprinkled throughout.

15 minutes of activity

Just look at all that activity!

Final Thoughts

  • As interesting as the attention may have become, I now have to wonder if the domain I had it set up on is blacklisted anywhere.
  • Don't use MediaWiki unless you're nostalgic for how terrible website design used to be. Even then, maybe just take a look at the MediaWiki homepage and call it a night.