01338: Malware

Summary: Malware
Created: 2014-02-12 13:19
Status: Closed, not a bug
Category: Bug
From: SRA Sackinger
Priority: 5
Version: 2.2.60
OS: Linux, GoDaddy

Description: Can't find PHP Version.

When setting up my site I changed very little in the wiki config.PHP file, mostly passwords. Yet the day after I installed the wiki, the following information was overlaid in the site sidebar:

There's no time limit at the Bank of England has bought corporate debt and what doesn't.,

Also an address: paydayzabc.co.uk

What is causing this and how do I fix it?

Susan SRA Sackinger February 12, 2014, at 01:25 PM

While it's possible someone has unauthorized access to your server, or else just guessed your password, it's most likely that your sidebar was not password protected.

  1. Check to see if you can edit it while logged out. If it's protected, maybe the spammer found your password mentioned on another page. Once the edit password has been entered, even on other pages, all pages protected by that password will be editable.
  2. If you want to block that user, or spammers in general, check out PmWiki:Blocklist.
  3. Spam postings are often done by automated processes. To ensure postings are made by humans you can use the Cookbook:Captcha

- RandyB February 12, 2014, at 02:50 PM

I spoke with GoDaddy first. I also checked the edit history. According to the history, I am the only one who has edited it. I had included a privacy filter on the hosting so there shouldn't be any back door. I don't give out my passwords, and I don't write them down. My sidebar was password protected, I made sure in the PHP and unless they know several different programming languages and my personal history, they won't be able to guess it. Can an automated process change the page without it showing up in history? SRA Sackinger? February 12, 2014, at 03:04 PM

Yes, such things are possible via direct access to the page file. If you are on a shared server, maybe someone found a security hole elsewhere on the server (either left by another user, or by GoDaddy). If they directly changed the file, you wouldn't see it in the page history. (You might see something in your computer logs, and the file time on the page might indicate when it happened.) - RandyB February 12, 2014, at 09:54 PM