On 07/09/10 18:59, Šerých Jakub wrote:
Hi all, my MediaWiki server was compromised by unknown
hacker in
past days. It was MW ver 1.13 and it was running on Debian Lenny,
with Apache2, mySQL5 and PHP5 server.
Unfortunatelly I cannot find any closer information in the logs, so
I don't know the used technique, but the hacker has created .re/
directory in the root of MW and put in it short index.php file with
redirection script to another IP address with the server whith the
bank Phishing page on it. :-(((
I have these questions to the MW community:
1) Has anybody of you heard about such kind of attack before? If
yes, it is described somewhere, how it is done and how to protect
the system against it?
Yes, I've heard of such attacks. I'm not aware of any having been
traced to MediaWiki itself, but sometimes people have MediaWiki script
directories with unsafe permissions which are written to by exploit
code injected by some other means.
The defences are pretty standard:
* Stay up to date. MW 1.13 is not up to date regardless of where you
got it from.
* Remove unnecessary web apps and other internet-accessible services,
to limit the attack surface.
* Use SSH for administration instead of web-based tools like phpMyAdmin.
* Disable password authentication in sshd, use keys instead.
* Read
http://www.mediawiki.org/wiki/Manual:Security
2) I'll install completely fresh server and fill
it with the data
from backup. Do you use some special protection for MW servers
(like SElinux or some special PHP settings (more that are the
security recomendations for MW) or some other protection system)?
It's not too hard to set up an AppArmor profile if you want to do that.
Is it safe to fill back the data from backup of
compromised system,
namely I'm asking about the mySQL data or there can be some kind of
backdoor in the database?
Most likely it is safe. You could truncate the objectcache table if
you're paranoid.
3) Is there any program or script which can be used to
test images
(from the backup) for potencial php code hidden in them (I have
heard, that it is possible to hide PHP in some of the EXIF fieldsof
the images)?
If your webserver will run PHP code embedded in uploaded image files,
then your webserver is configured incorrectly. You should have
"php_admin_flag engine off" in a <Directory> section in your apache
configuration file. Then it won't matter if someone uploads PHP code.
-- Tim Starling