Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reports of Bots exploiting pmwiki and tikiwiki

Published: 2006-09-05
Last Updated: 2006-09-05 15:09:11 UTC
by Joel Esler (Version: 6)
0 comment(s)
We have received some anonymous reports of Botnets being created out of vulnerabilities found in Pmwiki and Tikiwiki software.

The Tikiwiki exploit is hitting versions that are <= 1.9, and the Pmwiki exploit is hitting version <= 2.1.19.  Both exploits were written and discovered by the same person, and both exploits have been worked into auto spreading bots.

We have no info on where these bots are attempting to connect to, yet.  However, they are being seen in the wild. 

The Pmwiki exploit can only be exploited if you have "Register_globals" turned to "On" in your php installation.  However, the Tikiwiki exploit can be exploited regardless of this setting.

Tikiwiki has published information on how to temporarily patch your systems to make them invulnerable: Click here for that info. From reading this webpage, it also appears that Tikiwiki is working on a permanent patch.

At the time of this posting Pmwiki had no temporary fixes or patches posted to their website.  So ensure that you turn "Register_globals" to off, and restart Apache.

So, if you are running either one of these two pieces of software, please, make sure you are fixed or patched up!

UPDATE

We've received some submissions about compromised machines through the vulnerabilities mentioned above. Botnets that we've seen all connect to Undernet IRC server and sit on 5 different channels.

Besides the IRC bot, intruders also put a whole variety of various exploits and attack tools on the compromised machines. Among the usual perl flood scripts there are also exploits for both 2.4 and 2.6 Linux kernels (the Linux kernel msync race condition exploit from the last year).

In any case, make sure that you are running a patched version as the bad guys are actively exploiting this.

UPDATE #2


Robin writes in to tell us that the admins of PmWiki have updated their code:  See the
Release notes here.

UPDATE #3

Snort.org has updated their Community Ruleset to include coverage for these two vulnerabilities.
Keywords:
0 comment(s)
Diary Archives