[pmwiki-users] My Host Claims there's a problem with SiteAdmin.Blocklist-MoinMaster
Sandy
sandy at onebit.ca
Wed Apr 20 08:53:21 CDT 2011
Hello,
This morning I received a note (see below) from my webhost, claiming that
/home/mhschoen/public_html/cricket/wiki.d/SiteAdmin.Blocklist-MoinMaster
contains something suspicious, and they have disabled it.
(The contents of that file are below.)
I updated to the current stable pmwiki version yesterday morning.
My first suspicion is that their software is being overly-cautious.
As far as I know, nothing on my computer remembers my FTP passwords,
although given how "helpful" some programs are, I can't guarantee it,
so, yes, I'll change the FTP and CPanel passwords to be safe.
The FTP attributes of the files in wiki.d vary. Most are 0664
(-rw-rw-r--). The suspect file is now 0000.
I did not get the note for the other sites on the same server.
Searching pmwiki.org for moinmoin shows nothing about security or block
lists.
Questions:
Has anyone had this problem before?
What is the best way to reactivate the protection I had from MoinMaster,
or should I just disable it (and how)?
Why do my two other subsites have different dates for the same page?
Their attributes are both 0664 (-rw-rw-r--).
Why is the file for one of the subsites only 2k and the others over 60?
Thanks,
Sandy
+++++ Original Note ++++++++++++++
We have received the following malware/malicious script alert for a file
in your account:
-------
/home/mhschoen/public_html/cricket/wiki.d/SiteAdmin.Blocklist-MoinMaster
-------
The file is suspected to contain malicious script that can prove
harmful. We have disabled the file.
Please reset your cPanel/FTP passwords as soon as possible and do use
strong passwords with alphanumeric characters. Kindly do not store
cPanel or FTP passwords in browsers or FTP clients as the passwords will
be stored as plain text. You can use something like http://keepass.info/
to store the passwords.
Malwares/Spywares can steal these passwords and they can hack your
account and upload malicious contents to your website. This can lead to
poor reputation of your website in search engines. The search engines
and browsers will issue a warning when your website is being accessed
and they will be blocked. Also, do not set worldwide write permissions
(777) to any of the folders or files.
Please scan your local machine for any virus/trojan/spyware using a good
anti-virus/anti-spyware/malware.
Also, please make sure the web applications in your website are updated
to the latest version and the do check whether there are any
vulnerabilities with the themes and plugins you use in them.
++++++++++++++++++
+++++++ Abbreviated Contents of SiteAdmin.Blocklist-MoinMaster
version=pmwiki-2.2.0-beta15 ordered=1 urlencoded=1
agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8)
Gecko/20061025 Firefox/1.5.0.8
ctime=1163616896
host=74.114.163.75
name=Site.Blocklist-MoinMaster
passwdread=@lock
rev=3
text=%0a [@%0a## blocklist-note: NOTE: This page is automatically
generated by blocklist.php%0a## blocklist-note: NOTE: Any edits to
this page may be lost!%0a## blocklist-url:
http://moinmaster.wikiwikiweb.de/BadContent?action=raw%0a##
blocklist-when: 2006-11-20T10:54:29%0a# blocklist-format: regex%0a##
Please edit system and help pages ONLY in the moinmaster wiki! For more
%0a## information, please see MoinMaster:MoinPagesEditorGroup.
%0a##master-page:Unknown-Page
%0a##master-date:Unknown-Date
%0a#acl All:read
%0a#format plain
%0a#language en
%0a([\w\-_.]+\.)?(l(so|os)tr)\.[a-z]{2,}
%0a(blow)[\w\-_.]*job[\w\-_.]*\.[a-z]{2,}
%0a(buy)[\w\-_.]*online[\w\-_.]*\.[a-z]{2,}
%0a(casino|gambling|porn|\bsms|milf|busty|prescription|pharmacy|penis|pills|enlarge)[\w\-_.]*\.[a-z]{2,}
%0a(diet|penis)[\w\-_.]*(pills|enlargement)[\w\-_.]*\.[a-z]{2,}
%0a(donne|annunci|tatuaggi|canzoni|musicali|scarica|salute|sesso|hentai|ragazze|sonnerie)[\w\-_.]*\.[a-z]{2,}
%0a(i|la)-sonneries?[\w\-_.]*\.[a-z]{2,}
%0a(incest|beastiality)[\w\-_.]*\.[a-z]{2,3}
%0a(levitra|lolita|phentermine|viagra|vig-?rx|zyban|valtex|xenical|adipex|meridia\b)[\w\-_.]*\.[a-z]{2,}
%0a(magazine)[\w\-_.]*(finder|netfirms)[\w\-_.]*\.[a-z]{2,}
%0a(mike)[\w\-_.]*apartment[\w\-_.]*\.[a-z]{2,}
%0a(milf)[\w\-_.]*(hunter|moms|fucking)[\w\-_.]*\.[a-z]{2,}
%0a(online)[\w\-_.]*casino[\w\-_.]*\.[a-z]{2,}
%0a(paid|online)[\w\-_.]*surveys[\w\-_.]*\.[a-z]{2,}
%0a(prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil|vioxx)[\w\-_.]*\.[a-z]{2,}
%0a(puss(ie|y)|adult|sex|fuck|suck|cock|virgin|ass)\S{0,15}\.info/
%0a(ragazze)-?\w+\.[a-z]{2,}
%0a(ultram\b|\btenuate|tramadol|pheromones|phendimetrazine|ionamin|ortho.?tricyclen|retin.?a)[\w\-_.]*\.[a-z]{2,}
%0a(valtrex|zyrtec|\bhgh\b|ambien\b|flonase|allegra|didrex|renova\b|bontril|nexium)[\w\-_.]*\.[a-z]{2,}
%0a\.(chat|boom|fromru|hotmail|newmail|nightmail|nm|narod|pochta)\.ru
%0a\.[0-9]{5,}\.(com|net|org|us|biz|cn|ru)
%0a\.4t\.com
%0a\.51\.net
%0a\.6x\.to
%0a\.a\.la/
%0a\.b3\.nu
Delteted many similar lines
%0ajipiaoair\.com
%0acanjipiao\.com
%0abjxiongfei\.com
%0aSaNaLHaCKERLaR\.ORG
%0ajspit7\.info
%0akokoxx\.info
%0adonte\.info
%0alib/exe/fetch.php\?media=
%0aimhotep\.sphosting\.com
%0a1-myspace-layout\.blogspot\.com
%0a%0a @]%0a
time=1164038069
More information about the pmwiki-users
mailing list