Thread:Project:Support desk/prlinks.php malware/reply

There are a multitude of ways such malware could get in place. It could be a vulnrability in your web server, it could be a vulnrability in another web application. (For example, I've heard people complain before about getting attacked via a vulnrability in word press, and then the attacker inserts php code in MediaWiki files). It could also be a vulnrability in a MediaWiki extension, or even MediaWiki itself (However most security vulnrabilities reported in MediaWiki are XSS type vulnrabilities, or of the form Allow user X to block someone when they're not supposed to be able to. I believe you'd have to be using a very very old version of MediaWiki for it to have a known vulnrability allowing someone to write a php file to disk [OTOH as a MediaWiki fan I could be biased ;)]). I personally think what most likely happened was there was a vulnrability in something else, and the MediaWiki image directory was the only directory writable by the webserver, so that's where the attacker put the evil php file (Of course that is pure guess, I have nothing whatsoever to back up that theory).

Also, I personally think its unlikely the evil file was uploaded through MediaWiki's upload facilities, since its in the thumbnail directory (if someone managed to upload it using normal upload facilities of MW, it would be in just the image directory most likely.). Also MW does many checks to prevent html/php files from being uploaded. So I would more likely conclude some other means was used to upload the file.

In general we strongly recommend disabling php execution in the upload directory (Or any other directory the web server has write access to), so that if someone does manage to get an evil file in one of those directories, it can't be executed as php, as was done in your case. See Manual:Security

p.s. I Should note I'm not a security expert by any means, so take any of my opinions with a grain salt.