Last modified: 2013-10-23 23:49:16 UTC
Created attachment 10383 [details] The form as I saw it Replicated four times on completely fresh servers with source grabbed from mediawiki.org. Using the web based setup to generate the initial LocalSettings.php for the first time causes a phishing popup to appear using amazon CSS, images, and scripts. I've attached a screenshot and if requested can attach the source I have visible. The page imports an iframe for the form that refers to a page only visible from the client that spawned the popup, in my case: http://ec2-75-101-235-219.compute-1.amazonaws.com:8000/qwopumeuvqopmgutpcypsvjcyzqklwmp.php It will only spawn the first time someone attempts to view the GUI, after which it behaves perfectly. I've repeatedly scanned my computer to ensure that it wasn't locally based malware, and the behavior only appears with the circumstances I described.
I don't see this at all.
I'm not sure why it was happening, but it was definitely happening and I asked him to file a bug. He hosts his wiki(s) on AWS, which may be part of the culprit here.
A rootkit installed somewhere or other? http://www.cibcfcib.com/index.php?page=fraudulent-website-attempts-phishing
(In reply to comment #3) > A rootkit installed somewhere or other? > > http://www.cibcfcib.com/index.php?page=fraudulent-website-attempts-phishing I was just about to post the same thing - similar link: http://www.alliantcreditunion.org/services/security/fraudalerts/ Unable to reproduce the described behavior using AMI: 099720109477/ubuntu/images-testing/ebs/ubuntu-precise-daily-i386-server-20120401
1.18 is no longer supported, and there's no evidence of it coming from MediaWiki installation. It's most likely a malware infection on the client.
Well 1.18 has nothing to do with it, since we still use the same installer. But the fact that nobody could replicate probably makes it a WORKSFORME.