On Sat, Jan 5, 2013 at 6:24 AM, Simon L. B. Nielsen wrote: > Could you tell me which URL's you looked for in your logs to determine > the moinmoin security issues were exploited? > > FreeBSD.org is also running moinmoin, so I need to determine if it has > been compromised, and would be simpler if I don't have to find out how > the draw extensions work :-).
If you have a moinexec.py file in your plugin directories, your server has probably been compromised. This is what the initial backdoor injection looks like: GET /?action=twikidraw&do=modify&target=../../../plugin/action/moinexec.py POST /?action=twikidraw&do=save&ticket=<snip>&target=../../../plugin/action/moinexec.py HTTP/1.1 This is what using the backdoor looks like: GET /?action=moinexec&c=uname%20-ar We got caught out by this because the plugin directories were modifiable by the moin WSGI processes. We've now fixed this by having these directories owned by a different user and moin running as a less privileged user. Other wikis have been hit by this too, so you might want to check the permissions on the plugins directory. -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CAKTje6EOEZ9JoPjaM771wf1dyB=two4ygfetatqm1brbzjh...@mail.gmail.com
