Thanks for your comments Rogutes <div><br></div><div>I've just had a long conversation with tech support at my host (who are excellent). What happens is that the hackers use the uploads directory (with 777 permissions) to upload php files, and then it seems these php files can be used to access other parts of the filesystem (if I understood correctly). (This is after using some ftp program to find the directory structure - so using non-standard names probably wouldn't help.)</div>
<div><br></div><div>The planted files were owned by nobody, which suggests they were introduced using php.</div><div>So it looks like AuthUser was not the problem. </div><div><br></div><div>If a directory has 777 permissions, is there anything to stop someone putting an arbitrary file there? </div>
<div><br></div><div>I will anyway do a clean install of pmwiki.</div><div><br></div><div>Thanks again, James</div><div><br><br><div class="gmail_quote">On Mon, Dec 22, 2008 at 10:43 AM, Rogutės <span dir="ltr"><<a href="mailto:rogutes@googlemail.com">rogutes@googlemail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">James M (2008-12-21 22:45):<br>
<div class="Ih2E3d">> I've just found that there are also similar mystery php files in the<br>
> pub/skins/W directory - and this does not have 777 permissions.<br>
> And the extra link had been written to W.tmpl in that skins directory.<br>
><br>
> How could that happen? It certainly wasn't me, and I'm the only one who<br>
> knows the admin password! And the only one who has (legal) access to the<br>
> unix directories on the host.<br>
><br>
> Any comments?<br>
><br>
> Thanks, James<br>
<br>
<br>
</div>Hi,<br>
<br>
Yes, it is a security breach. You should also check (and perhaps post)<br>
the dates and owners/groups of all these 'mysterious' files.<br>
<br>
If the server you are using is providing shared hosting, maybe you<br>
should contact the owner of the server - he might be willing to<br>
investigate.<br>
<br>
For one thing, you shouldn't be using the same password with PmWiki and<br>
the one you are using to access unix directories on the host (and<br>
perhaps you aren't, I'm just guessing).<br>
<br>
Also, check the access logs (the attacker might have tried to access<br>
these php files he created)!<br>
<br>
Could you compress and attach the php files you deem suspicious (by<br>
indicating were you found them and under what permissions)?<br>
<br>
If you believe the server is clean and this is a problem with your<br>
account only, you could try to clean up like this:<br>
<br>
1. Backup:<br>
* WikiWord.WikiWord files in wiki.d/ (without .php or any other<br>
suffix and excluding Site.AuthUser)<br>
* All files you know from uploads/<br>
* The skin template, but only if you customized it (otherwise just<br>
re-download it)<br>
* local/ configuration files<br>
<br>
2. Wipe out the PmWiki installation.<br>
3. Change your admin password on the server.<br>
4. Proofread the skin and config files you backed up.<br>
5. Edit your config.php: disable AuthUser, change the 'upload', 'edit',<br>
'admin' passwords.<br>
6. Reinstall clean PmWiki from <a href="http://pmwiki.org" target="_blank">pmwiki.org</a>.<br>
7. Carefully restore your backups.<br>
<br>
<br>
-- Rogutės nuo kalniuko.<br>
<br>
_______________________________________________<br>
pmwiki-users mailing list<br>
<a href="mailto:pmwiki-users@pmichaud.com">pmwiki-users@pmichaud.com</a><br>
<a href="http://www.pmichaud.com/mailman/listinfo/pmwiki-users" target="_blank">http://www.pmichaud.com/mailman/listinfo/pmwiki-users</a><br>
</blockquote></div><br></div>