Itay Ophir wrote:
Hi Everyone,
I hope this is the right place to ask about this (pls point me elsewhere is
needed)
Our MediaWiki was hacked (twice in the past month) and someone was able to
change the root index.html files of our website and add an Iframe to it that
loads a malicious java applet. If users select to run the applet it installs
a virus/torjan on their PC.
After reading the log file I am thinking it's the Wiki's index.php page. The
hosting is NetworkS' who said that I have a vulnerable php script. And I
should fix it.
Thanks a lot in advance!
Itay
Mediawiki isn't by itself vulnerable to be used for defacing your files.
Anyway, you should update to the latest version if you're not using it.
It is possible that mediawiki php files have been modified and are thus
compromised. I recommend you to delete everything on the mediawiki
folder and use the files of the lastest version (doing this you're
updating the wiki, but without leaving the original files. You may need
to run update.php).
You will only need to keep:
-LocalSettings.php This contains your wiki configuration. Manually
verify it doesn't have anything that shouldn't be there.
-images/ This contains the files uploaded on your wiki. Remove any
script that might be there.
Some notes:
-The maintenance directory is not meant to be accesed by the web server.
You can deny access to it by the server or remove it.
-config/ folder is not needed after installing.
-extensions/ contains extensions. Follow the same remove+reinstall steps
as above. Be aware that extensions may be making your wiki vulnerable!
If they used your index.php, maybe the vulnerabiity is with your PHP
version?
Finally make a full backup before fixing the system (to revert back) and
after (in case it's attacked again).
Good luck