Hi all, my MediaWiki server was compromised by unknown hacker in past days. It was MW ver 1.13 and it was running on Debian Lenny, with Apache2, mySQL5 and PHP5 server.
Unfortunatelly I cannot find any closer information in the logs, so I don't know the used technique, but the hacker has created .re/ directory in the root of MW and put in it short index.php file with redirection script to another IP address with the server whith the bank Phishing page on it. :-(((
I have these questions to the MW community:
1) Has anybody of you heard about such kind of attack before? If yes, it is described somewhere, how it is done and how to protect the system against it?
2) I'll install completely fresh server and fill it with the data from backup. Do you use some special protection for MW servers (like SElinux or some special PHP settings (more that are the security recomendations for MW) or some other protection system)? Is it safe to fill back the data from backup of compromised system, namely I'm asking about the mySQL data or there can be some kind of backdoor in the database?
3) Is there any program or script which can be used to test images (from the backup) for potencial php code hidden in them (I have heard, that it is possible to hide PHP in some of the EXIF fieldsof the images)?
Thanks for any information and I wish to all of you - no hackers on your servers!
On 07/09/10 18:59, Šerých Jakub wrote:
Hi all, my MediaWiki server was compromised by unknown hacker in past days. It was MW ver 1.13 and it was running on Debian Lenny, with Apache2, mySQL5 and PHP5 server.
Unfortunatelly I cannot find any closer information in the logs, so I don't know the used technique, but the hacker has created .re/ directory in the root of MW and put in it short index.php file with redirection script to another IP address with the server whith the bank Phishing page on it. :-(((
I have these questions to the MW community:
- Has anybody of you heard about such kind of attack before? If
yes, it is described somewhere, how it is done and how to protect the system against it?
Yes, I've heard of such attacks. I'm not aware of any having been traced to MediaWiki itself, but sometimes people have MediaWiki script directories with unsafe permissions which are written to by exploit code injected by some other means.
The defences are pretty standard: * Stay up to date. MW 1.13 is not up to date regardless of where you got it from. * Remove unnecessary web apps and other internet-accessible services, to limit the attack surface. * Use SSH for administration instead of web-based tools like phpMyAdmin. * Disable password authentication in sshd, use keys instead. * Read http://www.mediawiki.org/wiki/Manual:Security
- I'll install completely fresh server and fill it with the data
from backup. Do you use some special protection for MW servers (like SElinux or some special PHP settings (more that are the security recomendations for MW) or some other protection system)?
It's not too hard to set up an AppArmor profile if you want to do that.
Is it safe to fill back the data from backup of compromised system, namely I'm asking about the mySQL data or there can be some kind of backdoor in the database?
Most likely it is safe. You could truncate the objectcache table if you're paranoid.
- Is there any program or script which can be used to test images
(from the backup) for potencial php code hidden in them (I have heard, that it is possible to hide PHP in some of the EXIF fieldsof the images)?
If your webserver will run PHP code embedded in uploaded image files, then your webserver is configured incorrectly. You should have "php_admin_flag engine off" in a <Directory> section in your apache configuration file. Then it won't matter if someone uploads PHP code.
-- Tim Starling