[development] Fully patched site hacked and cloaked

Nilesh Govindarajan lists at itech7.com
Wed Jan 27 14:42:28 UTC 2010 

On 01/27/2010 08:09 PM, David Shaver wrote:
> Sounds to me like Gumblar Virus see this link
> http://blog.scansafe.com/journal/2009/11/18/where-to-look-for-gumblar-backdoors.html
>
> David A. Shaver
> D. A. Shaver Web Design
> Web Page Design for Small Business
> www.dashaver.com <http://www.dashaver.com>
> PO Box 594 Galesburg,IL 61402-0594
> 309.343.0027
>
>
>
> On Wed, Jan 27, 2010 at 8:22 AM, Ken Rickard <agentrickard at gmail.com
> <mailto:agentrickard at gmail.com>> wrote:
>
>     I had something similar happen on WordPress. It was a simple FTP
>     (non-secure) password sniffer watching network traffic to the host.
>     My site would get hacked within twenty minutes of making a change via
>     FTP.
>
>     I finally forced the hosting provider to support SFTP for my account.
>
>     On Wed, Jan 27, 2010 at 7:14 AM, Adam Gregory <arcaneadam at gmail.com
>     <mailto:arcaneadam at gmail.com>> wrote:
>      > This is more a server security issue rather than a Drupal one.
>     I've seen
>      > this happen with Drupal, Joomla, Wordpress and custom PHP code.
>     It really
>      > most likely means that access to the server/host was compromised
>     at some
>      > point.
>      >
>      > There are lost of things that can be done to prevent this like
>     chmod/own-ing
>      > your file system correctly(As Gerhard touched on). This is also a
>     good
>      > reason to use SFTP rather then FTP as passwords in SFTP are sent
>     encrypted
>      > and FTP are not leaving them open to a man-in-the-middle attack.
>      >
>      > Ultimately though it's a good example of how Drupal can only go
>     so far in
>      > keeping itself secure but there are still plenty of other ways
>     out side
>      > Drupals area of responsibility that your site can be compromised.
>      > -----
>      > Adam A. Gregory
>      > Drupal Developer & Consultant
>      > Web: AdamAGregory.com
>      > Twitter: twitter.com/adamgregory <http://twitter.com/adamgregory>
>      > Phone: 910.808.1717
>      > Cell: 706.761.7375
>      >
>      >
>      > On Wed, Jan 27, 2010 at 6:53 AM, Fred Jones
>     <fredthejonester at gmail.com <mailto:fredthejonester at gmail.com>>
>      > wrote:
>      >>
>      >> > I also wonder whether Drupal could be adjusted so as to
>     automatically
>      >> > set
>      >> > file bootstrap.inc, and perhaps other critical ones, as
>     read-only. So
>      >> > far it
>      >> > is done only with settings.php file.
>      >>
>      >> Well if they did it via FTP, that wouldn't help...
>      >>
>      >> F
>      >
>      >
>
>
>
>     --
>     Ken Rickard
>     agentrickard at gmail.com <mailto:agentrickard at gmail.com>
>     http://ken.therickards.com
>
>

No Flame Wars, but using Linux prevents viruses ;)

-- 
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com

More information about the development mailing list