MediaWiki hacked, How dangerous? What's the worst case?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jephperro
Forum Newbie
Posts: 1
Joined: Wed Dec 10, 2008 5:14 pm

MediaWiki hacked, How dangerous? What's the worst case?

Post by jephperro »

Hi there,

This is a lesson (for me) to keep Wiki software up to date from now on.

Until last week, I was running MediaWiki 1.9.3, with file uploads enabled. (I have now upgraded to 1.13.x). I now know that 1.9.3 had a vulnerability, but this has been fixed in subsequent versions.

It seems like someone was able to exploit the vulnerability on our wiki. I found that one directory in ../images/thumb/file_name.jpg/ had 5 GBs of randomly named text files. The files contained random paragraphs of formatted HTML (I think retrieved from random internet pages).

Further investigation, found some php files in the directory.
In case someone is searching for these files, they are named:
s.php
dg.php
mdl_utf.php

They are encoded and look like this:

Code: Select all

eval (gzinflate(base64_decode('378jde383ue....
So I was able to decode them, and am trying to figure out what they did.

They are hard to read to figure out what they do, but here's a little snippet

Code: Select all

if(!$R399036803A841185E4A270BC666A66CF){ 
     echo "<h3>INJECTING PHP FILES</h3>";
} 
 
F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgdr'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); 
 
if($GLOBALS['dgsp']) { 
     F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgsp'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); 
}
Has this happened to anyone else?

What are the possible dangers of this vulnerability? Having control of PHP files, the 'hacker' could exec linux commands as the apache user, correct?

How worried should I be? After the upgrade, the directory has stopped growing. I'm wondering what kind of damage some one could do using the apache user. Could they have started a process that is silently working, and how can I find that process?
toasty2
Forum Contributor
Posts: 361
Joined: Wed Aug 03, 2005 10:28 am
Location: Arkansas, USA

Re: MediaWiki hacked, How dangerous? What's the worst case?

Post by toasty2 »

We would need more code to know what it does. It looks like everything is randomly named. It would be interesting to see the source code for the function F012D69AC5CE9ED6C2EC5DF1609CA51C4() which appears to be called there on line 8.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: MediaWiki hacked, How dangerous? What's the worst case?

Post by Mordred »

What's the worst case?
Everyone on Earth dies. Because of what you did. I hope you're happy now. *sob* :twisted:

Backup everything (files and database), delete and reinstall the web apps.
Post Reply