[pmwiki-users] Vulnerability being exploited

Wade Hudson whudson at igc.org
Thu Dec 21 18:03:15 CST 2006


Dear pmwiki users:

On my site, a vulernability is being exploited on the top-level script. 
About ten times a day, I receive spam that includes a number as the 
username and then has "@users.hostname.net" as the domain name.

My web host tells  me:

    The mail logs suggest that this message was indeed generated on our
    Web server, and the web logs turn up... something that looks like
    the (ab)use of a script on your own site, corresponding to the
    message time exactly:

    193.108.252.170 - - [20/Oct/2006:14:51:12 -0700] "POST /pmwiki.php
    HTTP/1.1" 302 16 "http://sitename/pmwiki.php" "Mozilla/5.0 (Windows;
    U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523"

    You need to close the exploit one way or another. We've had to
    disable Web scripts recently because they were being used for
    massive spamming and were bringing our whole Web server down, so
    it's probably just a matter of time before yours is more
    aggressively exploited.

    Looking more closely, the URL that's getting used is just
    /pmwiki.php, which is the central top-level script for the site

I am a relative novice. A friend set this site up for me. I think I know 
how to upload files to the site using WinSCP, which is configured to 
connect to the website when I log in, but that's about it. I could edit 
a particular file with precise instructions. So please be as simple and 
step-by-step as you can with your advice.

Also, if one of you might be available for one-on-one guidance, that 
might be helpful, unless what I need to do is very easy.

Thanks,
Wade

-------------- next part --------------
An HTML attachment was scrubbed...
URL: /pipermail/pmwiki-users/attachments/20061221/701002a4/attachment.html 


More information about the pmwiki-users mailing list