[pmwiki-users] Need some help with a wiki.d security breach
john at coxontool.com
Thu Nov 2 11:00:49 CST 2006
On Nov 2, 2006, at 11:11 AM, Patrick R. Michaud wrote:
> On Thu, Nov 02, 2006 at 10:49:50AM -0500, John Coxon wrote:
>> My site running pmwiki-2.1.23 has been invaded by an email spam
>> engine at http://www.coxontool.com/wiki.d/email.php.stop (.stop added
>> to, well, stop the spamming - 1,381 meg outgoing just this morning).
>> I need some help figuring out how this guy got in and how to keep him
>> My site is password protected. If the password were somehow obtained
>> would that enable one to install the script in wiki.d through an
> Not as written here. PmWiki would've changed the page name to be
> 'Email.Php', as well as written the file in the page store format
> (which protects against raw HTML or PHP scripts). So, the file
> arrived in wiki.d/ via some other vector.
Where might I look for that other vector? The file was installed as
owner = apache and group = apache and permissions = 644 just like all
the other files in wiki.d. An earlier version was installed a few
days ago as mail.php and later the same day, after considerable use,
the contents were deleted and permissions set to 600.
> What about the .htaccess file that is supposed to be in wiki.d/ --
> is it there, or has it disappeared?
The .htaccess file is present and contains:
Deny from all
>> Everything looks ok via ?action=diff for all pages modified
>> since this guy got in so I'm thinking he came in some other way. But
>> if so why put the script in the wiki.d directory?
> Because, on your site at least, it's easily accessible from the web
> via the wiki.d/ url. (Normally we try to block that url by using
> the .htaccess file, but that doesn't seem to be having any effect
> at the moment.)
>> Would it be helpful if I post the offending script here?
> The script itself doesn't seem to be the problem -- it's whatever
> allowed the script to appear in wiki.d/ . So no, I wouldn't post
> it here.
More information about the pmwiki-users