[pmwiki-users] My Host Claims there's a problem with SiteAdmin.Blocklist-MoinMaster

Sandy sandy at onebit.ca
Wed Apr 20 08:53:21 CDT 2011 

Hello,

This morning I received a note (see below) from my webhost, claiming that
/home/mhschoen/public_html/cricket/wiki.d/SiteAdmin.Blocklist-MoinMaster
contains something suspicious, and they have disabled it.

(The contents of that file are below.)

I updated to the current stable pmwiki version yesterday morning.

My first suspicion is that their software is being overly-cautious.

As far as I know, nothing on my computer remembers my FTP passwords, 
although given how "helpful" some programs are, I can't guarantee it, 
so, yes, I'll change the FTP and CPanel passwords to be safe.

The FTP attributes of the files in wiki.d vary. Most are 0664 
(-rw-rw-r--). The suspect file is now 0000.

I did not get the note for the other sites on the same server.

Searching pmwiki.org for moinmoin shows nothing about security or block 
lists.


Questions:

Has anyone had this problem before?

What is the best way to reactivate the protection I had from MoinMaster, 
or should I just disable it (and how)?

Why do my two other subsites have different dates for the same page? 
Their attributes are both 0664 (-rw-rw-r--).

Why is the file for one of the subsites only 2k and the others over 60?

Thanks,

Sandy



+++++ Original Note ++++++++++++++

We have received the following malware/malicious script alert for a file 
in your account:

-------
/home/mhschoen/public_html/cricket/wiki.d/SiteAdmin.Blocklist-MoinMaster
-------

The file is suspected to contain malicious script that can prove 
harmful. We have disabled the file.

Please reset your cPanel/FTP passwords as soon as possible and do use 
strong passwords with alphanumeric characters. Kindly do not store 
cPanel or FTP passwords in browsers or FTP clients as the passwords will 
be stored as plain text. You can use something like http://keepass.info/ 
to store the passwords.

Malwares/Spywares can steal these passwords and they can hack your 
account and upload malicious contents to your website. This can lead to 
poor reputation of your website in search engines. The search engines 
and browsers will issue a warning when your website is being accessed 
and they will be blocked. Also, do not set worldwide write permissions 
(777) to any of the folders or files.

Please scan your local machine for any virus/trojan/spyware using a good 
anti-virus/anti-spyware/malware.

Also, please make sure the web applications in your website are updated 
to the latest version and the do check whether there are any 
vulnerabilities with the themes and plugins you use in them.

++++++++++++++++++

+++++++ Abbreviated Contents of SiteAdmin.Blocklist-MoinMaster

version=pmwiki-2.2.0-beta15 ordered=1 urlencoded=1
agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8) 
Gecko/20061025 Firefox/1.5.0.8
ctime=1163616896
host=74.114.163.75
name=Site.Blocklist-MoinMaster
passwdread=@lock
rev=3
text=%0a  [@%0a## blocklist-note:   NOTE: This page is automatically 
generated by blocklist.php%0a## blocklist-note:   NOTE: Any edits to 
this page may be lost!%0a## blocklist-url: 
http://moinmaster.wikiwikiweb.de/BadContent?action=raw%0a## 
blocklist-when:   2006-11-20T10:54:29%0a#  blocklist-format: regex%0a## 
Please edit system and help pages ONLY in the moinmaster wiki! For more
%0a## information, please see MoinMaster:MoinPagesEditorGroup.
%0a##master-page:Unknown-Page
%0a##master-date:Unknown-Date
%0a#acl All:read
%0a#format plain
%0a#language en
%0a([\w\-_.]+\.)?(l(so|os)tr)\.[a-z]{2,}
%0a(blow)[\w\-_.]*job[\w\-_.]*\.[a-z]{2,}
%0a(buy)[\w\-_.]*online[\w\-_.]*\.[a-z]{2,}
%0a(casino|gambling|porn|\bsms|milf|busty|prescription|pharmacy|penis|pills|enlarge)[\w\-_.]*\.[a-z]{2,}
%0a(diet|penis)[\w\-_.]*(pills|enlargement)[\w\-_.]*\.[a-z]{2,}
%0a(donne|annunci|tatuaggi|canzoni|musicali|scarica|salute|sesso|hentai|ragazze|sonnerie)[\w\-_.]*\.[a-z]{2,}
%0a(i|la)-sonneries?[\w\-_.]*\.[a-z]{2,}
%0a(incest|beastiality)[\w\-_.]*\.[a-z]{2,3}
%0a(levitra|lolita|phentermine|viagra|vig-?rx|zyban|valtex|xenical|adipex|meridia\b)[\w\-_.]*\.[a-z]{2,}
%0a(magazine)[\w\-_.]*(finder|netfirms)[\w\-_.]*\.[a-z]{2,}
%0a(mike)[\w\-_.]*apartment[\w\-_.]*\.[a-z]{2,}
%0a(milf)[\w\-_.]*(hunter|moms|fucking)[\w\-_.]*\.[a-z]{2,}
%0a(online)[\w\-_.]*casino[\w\-_.]*\.[a-z]{2,}
%0a(paid|online)[\w\-_.]*surveys[\w\-_.]*\.[a-z]{2,}
%0a(prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil|vioxx)[\w\-_.]*\.[a-z]{2,}
%0a(puss(ie|y)|adult|sex|fuck|suck|cock|virgin|ass)\S{0,15}\.info/
%0a(ragazze)-?\w+\.[a-z]{2,}
%0a(ultram\b|\btenuate|tramadol|pheromones|phendimetrazine|ionamin|ortho.?tricyclen|retin.?a)[\w\-_.]*\.[a-z]{2,}
%0a(valtrex|zyrtec|\bhgh\b|ambien\b|flonase|allegra|didrex|renova\b|bontril|nexium)[\w\-_.]*\.[a-z]{2,}
%0a\.(chat|boom|fromru|hotmail|newmail|nightmail|nm|narod|pochta)\.ru
%0a\.[0-9]{5,}\.(com|net|org|us|biz|cn|ru)
%0a\.4t\.com
%0a\.51\.net
%0a\.6x\.to
%0a\.a\.la/
%0a\.b3\.nu

Delteted many similar lines

%0ajipiaoair\.com
%0acanjipiao\.com
%0abjxiongfei\.com
%0aSaNaLHaCKERLaR\.ORG
%0ajspit7\.info
%0akokoxx\.info
%0adonte\.info
%0alib/exe/fetch.php\?media=
%0aimhotep\.sphosting\.com
%0a1-myspace-layout\.blogspot\.com
%0a%0a  @]%0a
time=1164038069

More information about the pmwiki-users mailing list