[pmwiki-users] Security breach?

James M jamesm1415 at googlemail.com
Sun Dec 21 16:02:31 CST 2008


Hi
I have found some mysterious files on my small (8 pages) pmwiki site which
appear to compromise the security. The site uses AuthUser, with only 2
authorised users.

I only found this by chance as one of the pages has a link which was not
inserted by either of us (and points apparently to some driver download at a
url that no longer exists; it looks like it has nothing to do with the
domain so was probably planted by a hacker? was it a virus?).

Anyway, the mysterious files are five almost identical php files, one in
wiki.d, two in uploads and two in uploads/W (wiki.d and uploads are of
course the two directories with 777 permissions), and htaccess files in
uploads and uploads/W

The php files are of the order of 18kb, and begin with
for wiki.d/remote.php and uploads/configs.php and uploads/W/guest.php:
<?php
error_reporting(0);$p="eval(base64_decode(Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl.......................

and in the case of uploads/includes.php and uploads/W/messages.php:
<?php
error_reporting(0);$s="e";$p="bafhezzazbzcea";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl................

the .htaccess files in the uploads and the uploads/W directories both read,

Options -MultiViews
ErrorDocument 404 path-to-pmwiki/uploads/includes.php


How could these have got there?  Any suggestions?  Has anyone else had a
similar experience?

Thanks,

    James

The site is running pmwiki-2.2.0-beta65

ps in the meantime I've changed the permissions on wiki.d and uploads to
755, but that's obviously not very satisfactory

pps I've also just noticed there's an empty directory in the pmwiki
directory called cgi-bin.  I don't think it's usually there is it?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081221/0234e0ba/attachment.html 


More information about the pmwiki-users mailing list