This is a lesson (for me) to keep Wiki software up to date from now on.
Until last week, I was running MediaWiki 1.9.3, with file uploads enabled. (I have now upgraded to 1.13.x). I now know that 1.9.3 had a vulnerability, but this has been fixed in subsequent versions.
It seems like someone was able to exploit the vulnerability on our wiki. I found that one directory in ../images/thumb/file_name.jpg/ had 5 GBs of randomly named text files. The files contained random paragraphs of formatted HTML (I think retrieved from random internet pages).
Further investigation, found some php files in the directory.
In case someone is searching for these files, they are named:
s.php
dg.php
mdl_utf.php
They are encoded and look like this:
Code: Select all
eval (gzinflate(base64_decode('378jde383ue....They are hard to read to figure out what they do, but here's a little snippet
Code: Select all
if(!$R399036803A841185E4A270BC666A66CF){
echo "<h3>INJECTING PHP FILES</h3>";
}
F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgdr'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF);
if($GLOBALS['dgsp']) {
F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgsp'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF);
}What are the possible dangers of this vulnerability? Having control of PHP files, the 'hacker' could exec linux commands as the apache user, correct?
How worried should I be? After the upgrade, the directory has stopped growing. I'm wondering what kind of damage some one could do using the apache user. Could they have started a process that is silently working, and how can I find that process?