Your message dated Tue, 27 Jan 2015 09:19:57 +0100 (CET)
with message-id <[email protected]>
and subject line Re: Bug#776323: mediawiki: Suspicious mails sent via
var/lib/mediawiki/images/shwso.php
has caused the Debian Bug report #776323,
regarding mediawiki: Suspicious mails sent via
var/lib/mediawiki/images/shwso.php
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
776323: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776323
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: mediawiki
Version: 1:1.19.20+dfsg-0+deb7u3
Severity: normal
Dear Maintainer,
Today I started getting delivery failures from a server about mails sent by
the www-data user. I've added a small script to find out what is sending
them. It returned this:
/var/lib/mediawiki/images/shwso.php(7) : eval()'d code(1) : eval()'d code(1)
/: eval()'d code(10) : eval()'d code(2) : regexp code(1) : eval()'d
/code(501) : eval()'d code:77
I'm not sure what to make of it, and I must say I know very little about
mediawiki, but it looks a little like there is some sort of vulnerablity
being exploited (at least to my untrained eyes..)
-- System Information:
Debian Release: 7.8
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-042stab092.3 (SMP w/2 CPU cores)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) (ignored: LC_ALL
set to de_DE.utf8)
Shell: /bin/sh linked to /bin/dash
Versions of packages mediawiki depends on:
ii apache2-mpm-prefork [httpd] 2.2.22-13+deb7u4
ii debconf [debconf-2.0] 1.5.49
ii libjs-jquery 1.7.2+dfsg-1
ii libjs-jquery-cookie 6-1
ii libjs-jquery-form 6-1
ii libjs-jquery-tipsy 6-1
ii mime-support 3.52-1+deb7u1
ii nginx-full [httpd] 1.2.1-2.2+wheezy3
ii php5 5.4.36-0+deb7u3
ii php5-mysql 5.4.36-0+deb7u3
ii php5-sqlite 5.4.36-0+deb7u3
Versions of packages mediawiki recommends:
ii mediawiki-extensions-base 3.5~deb7u2
ii mysql-server 5.5.41-0+wheezy1
ii php-wikidiff2 0.0.1+svn109581-1
ii php5-cli 5.4.36-0+deb7u3
ii python 2.7.3-4+deb7u1
Versions of packages mediawiki suggests:
pn clamav <none>
ii imagemagick 8:6.7.7.10-5+deb7u3
ii mediawiki-math 2:1.0+git20120528-6
ii memcached 1.4.13-0.2+deb7u1
ii php5-gd 5.4.36-0+deb7u3
-- debconf information:
mediawiki/webserver: apache2
--- End Message ---
--- Begin Message ---
On Mon, 26 Jan 2015, flack wrote:
> /var/lib/mediawiki/images/shwso.php(7) : eval()'d code(1) : eval()'d code(1)
This file is not part of Mediawiki. It appears that someone
cracked your server and placed the file there, because that
directory is, necessarily, writable by www-data.
I suggest you back up all user data, reinstall, and restore
following an audit.
bye,
//mirabilos
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-235
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
--- End Message ---
