Thread:Project:Support desk/Help with hacking issue

Hi,

MediaWiki 1.25.1 PHP 5.3.24 MySQL Software version: 5.5.35-33.0 - Percona Server (GPL), Release rel33.0, Revision 611

Please redirect me to the appropriate place to find out about this if this is not that place!

I have several entries in the server error log like this:

[Mon Jul 06 22:15:08 2015] [error] [client 32.210.12.43] File does not exist: /home/xxx.org/html/wiki/skins/common, referer: http://xxx.org/wiki/load.php?debug=false&lang=en&modules=mediawiki.legacy.commonPrint%2Cshared%7Cmediawiki.sectionAnchor%7Cmediawiki.skinning.content.externallinks%7Cmediawiki.skinning.interface%7Cmediawiki.ui.button%7Cskins.monobook.styles&only=styles&skin=monobook&*

and also:

[Sun Jul 12 21:46:48 2015] [error] [client 32.210.12.43] ModSecurity: Access denied with code 403 (phase 2). Operator GT matched 15 at TX:sql_injection_score. [file "/etc/httpd/modsecurity.d/modsecurity_crs_49_inbound_blocking.conf"] [line "51"] [id "4049002"] [msg "SQL Injection Detected (score 28): IE XSS Filters - Attack Detected."] [hostname "xxx.org"] [uri "/wiki/index.php"] [unique_id "VaMYiMDwsHkAAF6jhHEAAAA0"]

Obviously, someone/something at this server IP address is up to no good. I password protected our wiki for now using .htaccess (it's only for internal use, anyway).

Where can I find out more about this exploit(s) and what to do about it?

Thanks, mitzzzz