[drupal-support] Restoring hacked site -- (Psychophobia backdoor)

[Dan Baum]

Our drupal system was recently hacked with the PsychoPhobia Backdoor
exploit and I am looking for suggestions on the best way to get back
up and secure.

 Our hosting company gave us this from the web logs:

[16/Jul/2005:18:37:15 -0400] "POST /xmlrpc.php HTTP/1.1" 200 25 "-" "-"

There is apparently a known vulnerability in XML-RPC that made this
possible. The sysadmin gave us the following instructions:

>>
The archived files will be made available for you to download some
time later today. However, you would not want to upload the files back
to the server, as they are suspect, UNLESS you have done a full
security audit on the files to ensure their integrity. Better yet, is
to restore the site from known "pristine" backups that were not on the
web server, such as local backups on your local computer.
...
"XML-RPC for PHP XML-RPC for PHP 1.1.1" is listed as not vulnerable.

We could not find a version number on the xmlrpc PHP module on your
site, but it would appear that
it is not version 1.1.1.

When you have access to your site again, you will need to use the
non-vulnerable version of XML-RPC when restoring the site.
>>


Two questions for the helpful folks on this list:

a) Our version of Drupal was about 1.5 years old. Will the new version
prevent this sort of thing? Do we need to install a different version
of PHP, or will the files that need updating be in the Drupal package?

b) In any case we will take the "opportunity" to install the latest
version of Drupal. We do not have a "pristine" local backup. Is there
a painless and *secure* way to transfer the content from the old site
(remember, our version is about 1.5 years old)? Can we be sure we're
not transferring any infected stuff if we copy the data from the old
mysql database?

Many thanks,

-David