[support] Very Strange Security Breach
Bill Fitzgerald
bill at funnymonkey.com
Fri Dec 17 07:20:48 UTC 2010
A couple shots in the dark here -
* What roles have "administer comments" rights?
* Are there any VBO-based comments administration views on the site?
* How secure is the site's database? Is root access still available? If
so, is the password secure?
* Is phpMyAdmin installed on the site? That can be a weak spot.
* Do the Apache logs from the time of the breach show anything odd/curious ?
Also, at the risk of stating the obvious, I'd strongly recommend
creating a superuser role and retiring your UID1 account for everything
but upgrades/updates.
Cheers,
Bill
On 12/16/10 9:32 PM, Shai Gluskin wrote:
> Hi gang,
>
> The author and URL of an anonymous comment was changed about three
> months after the comment was originally posted. The change happened
> last week. The new name was in Chinese and the URL is to a Chinese web
> site. The content of the comment was not changed.
>
> I've never had anything like that happen before. After I discovered
> this I changed user/1 pw (that is the only account on the site with
> admin privileges).
>
> There is no other evidence of other damage at the site that I found in
> the wake of this discovery.
>
> (Site was using 6.19 at the time of the breach).
>
> I'm stumped. Ideas anyone?
>
> Shai
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20101216/718faaca/attachment.html
More information about the support
mailing list