Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Reports of Bots exploiting pmwiki and tikiwiki - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports of Bots exploiting pmwiki and tikiwiki
HOT
We have received some anonymous reports of Botnets being created out of vulnerabilities found in Pmwiki and Tikiwiki software.

The Tikiwiki exploit is hitting versions that are <= 1.9, and the Pmwiki exploit is hitting version <= 2.1.19.  Both exploits were written and discovered by the same person, and both exploits have been worked into auto spreading bots.

The Pmwiki exploit can only be exploited if you have "Register_globals" turned to "On" in your php installation.  However, the Tikiwiki exploit can be exploited regardless of this setting.

We have no info on where these bots are attempting to connect to, yet.  However, we are seeing them in the wild. 

Tikiwiki has published information on how to temporarily patch your systems to make them invulnerable: Click here for that info. From reading this webpage, it also appears that Tikiwiki is working on a permanent patch.

At the time of this posting Pmwiki had no temporary fixes or patches posted to their website.  So ensure that you turn "Register_globals" to off, and restart Apache.

So, if you are running either one of these two pieces of software, please, make sure you are fixed or patched up!
Joel

454 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!