Page 1 of 1

MediaWiki hacked, How dangerous? What's the worst case?

Posted: Wed Dec 10, 2008 5:20 pm
by jephperro
Hi there,

This is a lesson (for me) to keep Wiki software up to date from now on.

Until last week, I was running MediaWiki 1.9.3, with file uploads enabled. (I have now upgraded to 1.13.x). I now know that 1.9.3 had a vulnerability, but this has been fixed in subsequent versions.

It seems like someone was able to exploit the vulnerability on our wiki. I found that one directory in ../images/thumb/file_name.jpg/ had 5 GBs of randomly named text files. The files contained random paragraphs of formatted HTML (I think retrieved from random internet pages).

Further investigation, found some php files in the directory.
In case someone is searching for these files, they are named:
s.php
dg.php
mdl_utf.php

They are encoded and look like this:

Code: Select all

eval (gzinflate(base64_decode('378jde383ue....
So I was able to decode them, and am trying to figure out what they did.

They are hard to read to figure out what they do, but here's a little snippet

Code: Select all

if(!$R399036803A841185E4A270BC666A66CF){ 
     echo "<h3>INJECTING PHP FILES</h3>";
} 
 
F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgdr'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); 
 
if($GLOBALS['dgsp']) { 
     F012D69AC5CE9ED6C2EC5DF1609CA51C4($GLOBALS['dgsp'], $GLOBALS['dgij'], 1, $R399036803A841185E4A270BC666A66CF); 
}
Has this happened to anyone else?

What are the possible dangers of this vulnerability? Having control of PHP files, the 'hacker' could exec linux commands as the apache user, correct?

How worried should I be? After the upgrade, the directory has stopped growing. I'm wondering what kind of damage some one could do using the apache user. Could they have started a process that is silently working, and how can I find that process?

Re: MediaWiki hacked, How dangerous? What's the worst case?

Posted: Thu Dec 11, 2008 6:02 pm
by toasty2
We would need more code to know what it does. It looks like everything is randomly named. It would be interesting to see the source code for the function F012D69AC5CE9ED6C2EC5DF1609CA51C4() which appears to be called there on line 8.

Re: MediaWiki hacked, How dangerous? What's the worst case?

Posted: Fri Dec 12, 2008 12:01 pm
by Mordred
What's the worst case?
Everyone on Earth dies. Because of what you did. I hope you're happy now. *sob* :twisted:

Backup everything (files and database), delete and reinstall the web apps.