[pmwiki-users] Vulnerability being exploited
Wade Hudson
whudson at igc.org
Thu Dec 21 18:03:15 CST 2006
Dear pmwiki users:
On my site, a vulernability is being exploited on the top-level script.
About ten times a day, I receive spam that includes a number as the
username and then has "@users.hostname.net" as the domain name.
My web host tells me:
The mail logs suggest that this message was indeed generated on our
Web server, and the web logs turn up... something that looks like
the (ab)use of a script on your own site, corresponding to the
message time exactly:
193.108.252.170 - - [20/Oct/2006:14:51:12 -0700] "POST /pmwiki.php
HTTP/1.1" 302 16 "http://sitename/pmwiki.php" "Mozilla/5.0 (Windows;
U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523"
You need to close the exploit one way or another. We've had to
disable Web scripts recently because they were being used for
massive spamming and were bringing our whole Web server down, so
it's probably just a matter of time before yours is more
aggressively exploited.
Looking more closely, the URL that's getting used is just
/pmwiki.php, which is the central top-level script for the site
I am a relative novice. A friend set this site up for me. I think I know
how to upload files to the site using WinSCP, which is configured to
connect to the website when I log in, but that's about it. I could edit
a particular file with precise instructions. So please be as simple and
step-by-step as you can with your advice.
Also, if one of you might be available for one-on-one guidance, that
might be helpful, unless what I need to do is very easy.
Thanks,
Wade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20061221/701002a4/attachment.html
More information about the pmwiki-users
mailing list