[pmwiki-users] Security breach?

James M jamesm1415 at googlemail.com
Mon Dec 22 08:43:03 CST 2008


Thanks for your comments Rogutes
I've just had a long conversation with tech support at my host (who are
excellent).  What happens is that the hackers use the uploads directory
(with 777 permissions) to upload php files, and then it seems these php
files can be used to access other parts of the filesystem (if I understood
correctly). (This is after using some ftp program to find the directory
structure - so using non-standard names probably wouldn't help.)

The planted files were owned by nobody, which suggests they were introduced
using php.
So it looks like AuthUser was not the problem.

If a directory has 777 permissions, is there anything to stop someone
putting an arbitrary file there?

I will anyway do a clean install of pmwiki.

Thanks again,     James


On Mon, Dec 22, 2008 at 10:43 AM, Rogutės <rogutes at googlemail.com> wrote:

> James M (2008-12-21 22:45):
> > I've just found that there are also similar mystery php files in the
> >  pub/skins/W directory - and this does not have 777 permissions.
> > And the extra link had been written to W.tmpl in that skins directory.
> >
> > How could that happen?  It certainly wasn't me, and I'm the only one who
> > knows the admin password! And the only one who has (legal) access to the
> > unix directories on the host.
> >
> > Any comments?
> >
> > Thanks,    James
>
>
> Hi,
>
> Yes, it is a security breach. You should also check (and perhaps post)
> the dates and owners/groups of all these 'mysterious' files.
>
> If the server you are using is providing shared hosting, maybe you
> should contact the owner of the server - he might be willing to
> investigate.
>
> For one thing, you shouldn't be using the same password with PmWiki and
> the one you are using to access unix directories on the host (and
> perhaps you aren't, I'm just guessing).
>
> Also, check the access logs (the attacker might have tried to access
> these php files he created)!
>
> Could you compress and attach the php files you deem suspicious (by
> indicating were you found them and under what permissions)?
>
> If you believe the server is clean and this is a problem with your
> account only, you could try to clean up like this:
>
> 1. Backup:
>    * WikiWord.WikiWord files in wiki.d/ (without .php or any other
>      suffix and excluding Site.AuthUser)
>    * All files you know from uploads/
>    * The skin template, but only if you customized it (otherwise just
>      re-download it)
>    * local/ configuration files
>
> 2. Wipe out the PmWiki installation.
> 3. Change your admin password on the server.
> 4. Proofread the skin and config files you backed up.
> 5. Edit your config.php: disable AuthUser, change the 'upload', 'edit',
>   'admin' passwords.
> 6. Reinstall clean PmWiki from pmwiki.org.
> 7. Carefully restore your backups.
>
>
> --  Rogutės nuo kalniuko.
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20081222/fafb692e/attachment.html 


More information about the pmwiki-users mailing list