Search results page redirects to unsafe site

Jump to: navigation, search

Using multiple wikis on the same site for some months without problems. Suddenly search pages for all wikis on the site have started to do the following

  1. search for a term
  2. results are displayed in a raw HTML only format, i.e. it appears that the style sheets or skins are not being applied
  3. when I click one of the links I am redirected to http://hidrocaribe.gob.ve/innova which our firewall blocks as a threat

Where would I look to find what is going on?

Also, our hosting company suggests that the corruption likely happened via a hacked admin wiki account. Could that be? Tenbergen 22:51, 6 February 2012 (UTC)

Tenbergen22:51, 6 February 2012

It would be helpful if you provided a link to your wiki (Mostly looking through Special:Recentchanges [in particular, any edits to the mediawiki namespace] could rule out if its a compromised admin account or something else).

In theory, an admin account can add site-wide js, which could potentially be used to do something like that. However, if someone did that, there are more evil things they could do for quite a bit less effort, so that seems unlikely.

I think its more likely that someone got into your server (possibly via some other insecure web application that you had installed) and modified some of MediaWiki's php files.

Bawolff07:20, 7 February 2012

Thanks for your reply, I had thought something along that line. The URL is http://ccmdb.kuality.ca/index.php?title=Special:UserLogout&returnto=Main_Page. Even without login, running a blank search does the trick. We had already looked in the recent changes and there was nothing enlighenting there. For one of the wikis, common.js and common.css seemed to be corrupted, the pages were not accessible at all via wiki. Not for the other wikis, though. Any ideas how to proceed troubleshooting?

Tenbergen12:11, 7 February 2012

yeah, that definitely looks like someone modified one of the php files (server sends 301 redirects to bad places).

(Furthermore, The admin editable js isn't even being loaded for people not logged in, since it's not on the page whitelist and the wiki is read restricted)

What I would probably do would be:

  • Save your LocalSettings.php, and any uploaded images.
    • Look through your LocalSettings.php to make sure nothing unusual or strange is in there
  • Delete everything (except not your database)
  • Re-install MediaWiki (putting the LocalSettings.php and images directory you saved back).


If you have your apache access_log going back a while, looking for unusual requests might be able to tell you how the attacker gained access (obviously getting rid of the tainted php files means nothing if the attacker can still regain access). There are no known security vulnerabilities that give filesystem access in MediaWiki 1.16.5 (although that version is outdated), so I'd say its more likely that they gained access through something else.

Bawolff12:48, 7 February 2012

Thanks Bawolff; we ended up able to convince the host admin that this really is an issue with their site (the whole site redirects, too) and they are looking into it now. Some other sites mentioned that this might have slipped in through joomla or wordpress, but apparently it doesn't actually affect those products, just their google rankings. Guess mediawiki was the only one actually showing symptoms...

Tenbergen23:34, 7 February 2012
 
 
 
 
Retrieved from "http://www.mediawiki.org/wiki/Thread:Project:Support_desk/Search_results_page_redirects_to_unsafe_site#Search_results_page_redirects_to_unsafe_site_11857"
Personal tools

Variants
Actions
Navigation
Support
Download
Development
Communication
Toolbox