[pmwiki-devel] cryptowall attack on pmwiki

Petko Yotov 5ko at 5ko.fr
Thu Apr 28 05:35:07 CDT 2016


Randolph and I exchanged a few offlist messages so here is the summary:

The files are really binary and owned by a different user. One of the 
files, a PNG picture, contains instructions on how to pay a ransom to 
decrypt files (search for Cryptowall to learn more about the 
ransomware). This suggests that Randolph's account was somehow 
compromised from the hosting space, not from PmWiki, likely only to 
store the files, which would appear on some (other) victim's screen, and 
the criminals would stay hard to trace.

The wiki.d directory has permissions set to 777, so my advice is to 
review the hosting documentation, to find out what permissions are 
expected/recommended on the filesystem, and set such permissions on the 
user home directory, wiki.d and the other directories.

Petko

---
Change log     :  http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes  :  http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade :  http://www.pmwiki.org/wiki/PmWiki/Upgrades


On 2016-04-27 02:29, W Randolph Franklin wrote:
> I discovered 4 files in wiki.d/ :
> 
> HELP_DECRYPT.HTML HELP_DECRYPT.PNG HELP_DECRYPT.TXT HELP_DECRYPT.URL
> 
> The PNG file said that my files had been encrypted by Cryptowall.
> 
> The good news is that there was in fact no damage, perhaps because I'm
> running linux.
> 
> The bad new is that someone was able to place those files there.
> 
> Any ideas where I'd start to look?   Has anyone else seen this?
> 
> Also, HELP_DECRYPT.HTML HELP_DECRYPT.TXT HELP_DECRYPT.URL were binary,
> in spite of their names. Perhaps listing them in a vulnerable OS is
> intended to cause more damage?
> 
> Thanks.



More information about the pmwiki-devel mailing list