Security question
My site has been probed on a more or less daily basis since the 19th looking for php files in one of two directories. There seem to have been 2 forms of probing, the second looking for an enhanced list of php files in the two directories. Fortunately, owing to its configuration I don't seem to have been hacked as the files were 404 or 403 and a rootkit sweep shows nothing.
Looking at my apache logs the script tries to read tiki-index, then looks for tiki-top_bar.tpl, then tiki-contact.php
I've a couple of questions (that seem to have been asked as comments to your security posts on the main page, but I've not seen answered).
What is the mechanism that this script uses to actually upload the php files to the temp dirs?
Is an account necesary ?
Is it possible for you to give a few details about what was altered so that those who've customised their setups can backport the mods? Even a list of the files would be useful.
What is significant in tiki-top_bar.tpl - I can think it might have been version information, from the CVS header, or something to do with the javascript toggle?
It might be worthwhile to ensure your server setup doesn't serve tpl files if requested directly, in addition to the other apache configs. mentioned.
Any answers appreciated - and for all those running TW sites - searching your logs for eg shell.php might be worthwhile.
Cheers
Andrew