[pmwiki-users] SPAM-LOW: My Host Claims there's a problem with SiteAdmin.Blocklist-MoinMaster

Brian Tibbels brian.tibbels at clickmarlow.co.uk
Wed Apr 20 10:01:06 CDT 2011 

i don't think the problem is through FTP. i think someone has edited your
site through the interface. the presence of
casino|gambling|porn|\bsms|milf|busty|prescription|pharmacy|penis|pills|enlarge

indicates this. check your access rights to the site in general or to that
page in particular.

Rgds
Brian



On 20 April 2011 14:53, Sandy <sandy at onebit.ca> wrote:

> Hello,
>
> This morning I received a note (see below) from my webhost, claiming that
> /home/mhschoen/public_html/cricket/wiki.d/SiteAdmin.Blocklist-MoinMaster
> contains something suspicious, and they have disabled it.
>
> (The contents of that file are below.)
>
> I updated to the current stable pmwiki version yesterday morning.
>
> My first suspicion is that their software is being overly-cautious.
>
> As far as I know, nothing on my computer remembers my FTP passwords,
> although given how "helpful" some programs are, I can't guarantee it, so,
> yes, I'll change the FTP and CPanel passwords to be safe.
>
> The FTP attributes of the files in wiki.d vary. Most are 0664 (-rw-rw-r--).
> The suspect file is now 0000.
>
> I did not get the note for the other sites on the same server.
>
> Searching pmwiki.org for moinmoin shows nothing about security or block
> lists.
>
>
> Questions:
>
> Has anyone had this problem before?
>
> What is the best way to reactivate the protection I had from MoinMaster, or
> should I just disable it (and how)?
>
> Why do my two other subsites have different dates for the same page? Their
> attributes are both 0664 (-rw-rw-r--).
>
> Why is the file for one of the subsites only 2k and the others over 60?
>
> Thanks,
>
> Sandy
>
>
>
> +++++ Original Note ++++++++++++++
>
> We have received the following malware/malicious script alert for a file in
> your account:
>
> -------
> /home/mhschoen/public_html/cricket/wiki.d/SiteAdmin.Blocklist-MoinMaster
> -------
>
> The file is suspected to contain malicious script that can prove harmful.
> We have disabled the file.
>
> Please reset your cPanel/FTP passwords as soon as possible and do use
> strong passwords with alphanumeric characters. Kindly do not store cPanel or
> FTP passwords in browsers or FTP clients as the passwords will be stored as
> plain text. You can use something like http://keepass.info/ to store the
> passwords.
>
> Malwares/Spywares can steal these passwords and they can hack your account
> and upload malicious contents to your website. This can lead to poor
> reputation of your website in search engines. The search engines and
> browsers will issue a warning when your website is being accessed and they
> will be blocked. Also, do not set worldwide write permissions (777) to any
> of the folders or files.
>
> Please scan your local machine for any virus/trojan/spyware using a good
> anti-virus/anti-spyware/malware.
>
> Also, please make sure the web applications in your website are updated to
> the latest version and the do check whether there are any vulnerabilities
> with the themes and plugins you use in them.
>
> ++++++++++++++++++
>
> +++++++ Abbreviated Contents of SiteAdmin.Blocklist-MoinMaster
>
> version=pmwiki-2.2.0-beta15 ordered=1 urlencoded=1
> agent=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.8)
> Gecko/20061025 Firefox/1.5.0.8
> ctime=1163616896
> host=74.114.163.75
> name=Site.Blocklist-MoinMaster
> passwdread=@lock
> rev=3
> text=%0a  [@%0a## blocklist-note:   NOTE: This page is automatically
> generated by blocklist.php%0a## blocklist-note:   NOTE: Any edits to this
> page may be lost!%0a## blocklist-url:
> http://moinmaster.wikiwikiweb.de/BadContent?action=raw%0a##<http://moinmaster.wikiwikiweb.de/BadContent?action=raw%0a#%23>blocklist-when:   2006-11-20T10:54:29%0a#  blocklist-format: regex%0a##
> Please edit system and help pages ONLY in the moinmaster wiki! For more
> %0a## information, please see MoinMaster:MoinPagesEditorGroup.
> %0a##master-page:Unknown-Page
> %0a##master-date:Unknown-Date
> %0a#acl All:read
> %0a#format plain
> %0a#language en
> %0a([\w\-_.]+\.)?(l(so|os)tr)\.[a-z]{2,}
> %0a(blow)[\w\-_.]*job[\w\-_.]*\.[a-z]{2,}
> %0a(buy)[\w\-_.]*online[\w\-_.]*\.[a-z]{2,}
>
> %0a(casino|gambling|porn|\bsms|milf|busty|prescription|pharmacy|penis|pills|enlarge)[\w\-_.]*\.[a-z]{2,}
> %0a(diet|penis)[\w\-_.]*(pills|enlargement)[\w\-_.]*\.[a-z]{2,}
>
> %0a(donne|annunci|tatuaggi|canzoni|musicali|scarica|salute|sesso|hentai|ragazze|sonnerie)[\w\-_.]*\.[a-z]{2,}
> %0a(i|la)-sonneries?[\w\-_.]*\.[a-z]{2,}
> %0a(incest|beastiality)[\w\-_.]*\.[a-z]{2,3}
>
> %0a(levitra|lolita|phentermine|viagra|vig-?rx|zyban|valtex|xenical|adipex|meridia\b)[\w\-_.]*\.[a-z]{2,}
> %0a(magazine)[\w\-_.]*(finder|netfirms)[\w\-_.]*\.[a-z]{2,}
> %0a(mike)[\w\-_.]*apartment[\w\-_.]*\.[a-z]{2,}
> %0a(milf)[\w\-_.]*(hunter|moms|fucking)[\w\-_.]*\.[a-z]{2,}
> %0a(online)[\w\-_.]*casino[\w\-_.]*\.[a-z]{2,}
> %0a(paid|online)[\w\-_.]*surveys[\w\-_.]*\.[a-z]{2,}
>
> %0a(prozac|zoloft|xanax|valium|hydrocodone|vicodin|paxil|vioxx)[\w\-_.]*\.[a-z]{2,}
> %0a(puss(ie|y)|adult|sex|fuck|suck|cock|virgin|ass)\S{0,15}\.info/
> %0a(ragazze)-?\w+\.[a-z]{2,}
>
> %0a(ultram\b|\btenuate|tramadol|pheromones|phendimetrazine|ionamin|ortho.?tricyclen|retin.?a)[\w\-_.]*\.[a-z]{2,}
>
> %0a(valtrex|zyrtec|\bhgh\b|ambien\b|flonase|allegra|didrex|renova\b|bontril|nexium)[\w\-_.]*\.[a-z]{2,}
> %0a\.(chat|boom|fromru|hotmail|newmail|nightmail|nm|narod|pochta)\.ru
> %0a\.[0-9]{5,}\.(com|net|org|us|biz|cn|ru)
> %0a\.4t\.com
> %0a\.51\.net
> %0a\.6x\.to
> %0a\.a\.la/
> %0a\.b3\.nu
>
> Delteted many similar lines
>
> %0ajipiaoair\.com
> %0acanjipiao\.com
> %0abjxiongfei\.com
> %0aSaNaLHaCKERLaR\.ORG
> %0ajspit7\.info
> %0akokoxx\.info
> %0adonte\.info
> %0alib/exe/fetch.php\?media=
> %0aimhotep\.sphosting\.com
> %0a1-myspace-layout\.blogspot\.com
> %0a%0a  @]%0a
> time=1164038069
>
>
>
>
> _______________________________________________
> pmwiki-users mailing list
> pmwiki-users at pmichaud.com
> http://www.pmichaud.com/mailman/listinfo/pmwiki-users
>



-- 
Brian Tibbels
IT support for small business and the individual
http://clickmarlow.co.uk/
m: 07804 109906
t: 01628 477640
skype: brian.tibbels
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pmichaud.com/pipermail/pmwiki-users/attachments/20110420/908b82f5/attachment.html>

More information about the pmwiki-users mailing list