[Mediawiki-l] Compromised server :-(((
Šerých Jakub
Serych at panska.cz
Tue Sep 7 08:59:09 UTC 2010
Hi all,
my MediaWiki server was compromised by unknown hacker in past days. It was MW ver 1.13 and it was running on Debian Lenny, with Apache2, mySQL5 and PHP5 server.
Unfortunatelly I cannot find any closer information in the logs, so I don't know the used technique, but the hacker has created .re/ directory in the root of MW and put in it short index.php file with redirection script to another IP address with the server whith the bank Phishing page on it. :-(((
I have these questions to the MW community:
1) Has anybody of you heard about such kind of attack before? If yes, it is described somewhere, how it is done and how to protect the system against it?
2) I'll install completely fresh server and fill it with the data from backup. Do you use some special protection for MW servers (like SElinux or some special PHP settings (more that are the security recomendations for MW) or some other protection system)? Is it safe to fill back the data from backup of compromised system, namely I'm asking about the mySQL data or there can be some kind of backdoor in the database?
3) Is there any program or script which can be used to test images (from the backup) for potencial php code hidden in them (I have heard, that it is possible to hide PHP in some of the EXIF fieldsof the images)?
Thanks for any information and I wish to all of you - no hackers on your servers!
Jakub
More information about the MediaWiki-l
mailing list