[pmwiki-users] Need some help with a wiki.d security breach

John Coxon john at coxontool.com
Thu Nov 2 09:49:50 CST 2006


My site running pmwiki-2.1.23 has been invaded by an email spam  
engine at http://www.coxontool.com/wiki.d/email.php.stop (.stop added  
to, well, stop the spamming - 1,381 meg outgoing just this morning).

If you go to the above address you'll see a form with an unlabeled  
box at the bottom right. This box will accept a long list of outgoing  
addresses into a variable.

My hosting ISP is currently trying to recover from an email server  
crash that may or may not be related to this invasion. They're too  
busy to look now :-)

I need some help figuring out how this guy got in and how to keep him  
out.

My site is password protected. If the password were somehow obtained  
would that enable one to install the script in wiki.d through an  
edit? Everything looks ok via ?action=diff for all pages modified  
since this guy got in so I'm thinking he came in some other way. But  
if so why put the script in the wiki.d directory?

Would it be helpful if I post the offending script here? Or might  
that risk giving it to other spammers?

Any suggestions would be gratefully appreciated.

John






More information about the pmwiki-users mailing list