<span class="Apple-style-span" style="border-collapse: collapse; ">Hi <div><br></div><div>I have found some mysterious files on my small (8 pages) pmwiki site which appear to compromise the security. The site uses AuthUser, with only 2 authorised users. </div>
<div><br></div><div>I only found this by chance as one of the pages has a link which was not inserted by either of us (and points apparently to some driver download at a url that no longer exists; it looks like it has nothing to do with the domain so was probably planted by a hacker? was it a virus?). </div>
<div><br></div><div>Anyway, the mysterious files are five almost identical php files, one in wiki.d, two in uploads and two in uploads/W (wiki.d and uploads are of course the two directories with 777 permissions), and htaccess files in uploads and uploads/W</div>
<div><br></div><div>The php files are of the order of 18kb, and begin with</div><div>for wiki.d/remote.php and uploads/configs.php and uploads/W/guest.php: </div><div><?php error_reporting(0);$p="eval(base64_decode(Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl.......................<br>
</div><div><br></div><div>and in the case of uploads/includes.php and uploads/W/messages.php:</div><div><?php error_reporting(0);$s="e";$p="bafhezzazbzcea";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl................<br>
</div><div><br></div><div>the .htaccess files in the uploads and the uploads/W directories both read,</div><div><br></div><div><div>Options -MultiViews</div><div>ErrorDocument 404 path-to-pmwiki/uploads/includes.php</div>
<div><br></div><div><br></div><div>How could these have got there? Any suggestions? Has anyone else had a similar experience?</div><div><br></div><div>Thanks,</div><div><br></div><div> James</div><div><br></div><div>
The site is running pmwiki-2.2.0-beta65</div><div><br></div><div>ps in the meantime I've changed the permissions on wiki.d and uploads to 755, but that's obviously not very satisfactory</div><div><br></div><div>pps I've also just noticed there's an empty directory in the pmwiki directory called cgi-bin. I don't think it's usually there is it?</div>
<div><br></div></div></span>