Randolph and I exchanged a few offlist messages so here is the summary:
The files are really binary and owned by a different user. One of the files, a PNG picture, contains instructions on how to pay a ransom to decrypt files (search for Cryptowall to learn more about the ransomware). This suggests that Randolph's account was somehow compromised from the hosting space, not from PmWiki, likely only to store the files, which would appear on some (other) victim's screen, and the criminals would stay hard to trace.
The wiki.d directory has permissions set to 777, so my advice is to review the hosting documentation, to find out what permissions are expected/recommended on the filesystem, and set such permissions on the user home directory, wiki.d and the other directories.
Petko --- Change log : http://www.pmwiki.org/wiki/PmWiki/ChangeLog Release notes : http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes If you upgrade : http://www.pmwiki.org/wiki/PmWiki/Upgrades On 2016-04-27 02:29, W Randolph Franklin wrote:
I discovered 4 files in wiki.d/ : HELP_DECRYPT.HTML HELP_DECRYPT.PNG HELP_DECRYPT.TXT HELP_DECRYPT.URL The PNG file said that my files had been encrypted by Cryptowall. The good news is that there was in fact no damage, perhaps because I'm running linux. The bad new is that someone was able to place those files there. Any ideas where I'd start to look? Has anyone else seen this? Also, HELP_DECRYPT.HTML HELP_DECRYPT.TXT HELP_DECRYPT.URL were binary, in spite of their names. Perhaps listing them in a vulnerable OS is intended to cause more damage? Thanks.
_______________________________________________ pmwiki-devel mailing list pmwiki-devel@pmichaud.com http://www.pmichaud.com/mailman/listinfo/pmwiki-devel
