<div class="gmail_quote"><div>I've just found that there are also similar mystery php files in the pub/skins/W directory - and this does not have 777 permissions. </div><div>And the extra link had been written to W.tmpl in that skins directory. </div>
<div><br></div><div>How could that happen? It certainly wasn't me, and I'm the only one who knows the admin password! And the only one who has (legal) access to the unix directories on the host. </div><div><br></div>
<div>Any comments?</div><div><br></div><div>Thanks, James</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><span style="border-collapse:collapse">Hi <div>
<br></div><div>I have found some mysterious files on my small (8 pages) pmwiki site which appear to compromise the security. The site uses AuthUser, with only 2 authorised users. </div>
<div><br></div><div>I only found this by chance as one of the pages has a link which was not inserted by either of us (and points apparently to some driver download at a url that no longer exists; it looks like it has nothing to do with the domain so was probably planted by a hacker? was it a virus?). </div>
<div><br></div><div>Anyway, the mysterious files are five almost identical php files, one in wiki.d, two in uploads and two in uploads/W (wiki.d and uploads are of course the two directories with 777 permissions), and htaccess files in uploads and uploads/W</div>
<div><br></div><div>The php files are of the order of 18kb, and begin with</div><div>for wiki.d/remote.php and uploads/configs.php and uploads/W/guest.php: </div><div><?php error_reporting(0);$p="eval(base64_decode(Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl.......................<br>
</div><div><br></div><div>and in the case of uploads/includes.php and uploads/W/messages.php:</div><div><?php error_reporting(0);$s="e";$p="bafhezzazbzcea";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl................<br>
</div><div><br></div><div>the .htaccess files in the uploads and the uploads/W directories both read,</div><div><br></div><div><div>Options -MultiViews</div><div>ErrorDocument 404 path-to-pmwiki/uploads/includes.php</div>
<div><br></div><div><br></div><div>How could these have got there? Any suggestions? Has anyone else had a similar experience?</div><div><br></div><div>Thanks,</div><div><br></div><div> James</div><div><br></div><div>
The site is running pmwiki-2.2.0-beta65</div><div><br></div><div>ps in the meantime I've changed the permissions on wiki.d and uploads to 755, but that's obviously not very satisfactory</div><div><br></div><div>pps I've also just noticed there's an empty directory in the pmwiki directory called cgi-bin. I don't think it's usually there is it?</div>
<div><br></div></div></span>
</blockquote></div><br>