Hi I have found some mysterious files on my small (8 pages) pmwiki site which appear to compromise the security. The site uses AuthUser, with only 2 authorised users.
I only found this by chance as one of the pages has a link which was not inserted by either of us (and points apparently to some driver download at a url that no longer exists; it looks like it has nothing to do with the domain so was probably planted by a hacker? was it a virus?). Anyway, the mysterious files are five almost identical php files, one in wiki.d, two in uploads and two in uploads/W (wiki.d and uploads are of course the two directories with 777 permissions), and htaccess files in uploads and uploads/W The php files are of the order of 18kb, and begin with for wiki.d/remote.php and uploads/configs.php and uploads/W/guest.php: <?php error_reporting(0);$p="eval(base64_decode(Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl....................... and in the case of uploads/includes.php and uploads/W/messages.php: <?php error_reporting(0);$s="e";$p="bafhezzazbzcea";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnByb3RlY3Rl................ the .htaccess files in the uploads and the uploads/W directories both read, Options -MultiViews ErrorDocument 404 path-to-pmwiki/uploads/includes.php How could these have got there? Any suggestions? Has anyone else had a similar experience? Thanks, James The site is running pmwiki-2.2.0-beta65 ps in the meantime I've changed the permissions on wiki.d and uploads to 755, but that's obviously not very satisfactory pps I've also just noticed there's an empty directory in the pmwiki directory called cgi-bin. I don't think it's usually there is it?
_______________________________________________ pmwiki-users mailing list pmwiki-users@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-users