[support] Very Strange Security Breach

Fri Dec 17 19:23:38 UTC 2010

you might be running in a mode that doesn't serve 777 files, try changing
them to only allow the webserver to read, write execute, and anonymous to
only read.  hope that helps.

On Fri, Dec 17, 2010 at 7:04 PM, prothero <prothero at geol.ucsb.edu> wrote:

> Folks:
> Not only do I get this error code, but several modules on my site have
> stopped working. The only thing I did was install the security module and
> mess with permissions on the /tmp folder. Sheesh! Very frustrating.
> Bill
>
> William A. Prothero
>
> http://earthednet.org/
>
>
>
> On Dec 17, 2010, at 10:56 AM, prothero wrote:
>
> Folks:
> Thanks for the link to the security test.
> I installed it, BUT, when I was messing with my permissions, so fix various
> file permissions, I did something very simple that caused an error message
> all through the site:
>
> --message:
> user warning: Can't create/write to file '/tmp/#sql_3cb2_0.MYI' (Errcode:
> 13) query: SELECT DISTINCT b.* FROM blocks b LEFT JOIN blocks_roles r ON
> b.module = r.module AND b.delta = r.delta WHERE b.theme = 'solarsentinel'
> AND b.status = 1 AND (r.rid IN (2) OR r.rid IS NULL) ORDER BY b.region,
> b.weight, b.module in /home/wap/public_html/modules/block/block.module on
> line 433
> --end message.
>
> I understand that the error is in permissions for the /tmp directory. I got
> this error when I changed permissions, but now when I do chmod -R 0777 (as a
> test), I still get the error. This should set the permissions to "Everybody
> can do anything". What's up? I'm not a unix expert, but not a novice either
> and this confuses me. Does the "#" char at the start of the file name mean
> the file is invisible, ??
>
> Regards,
> Bill
>
> William A. Prothero
> http://earthednet.org/
>
>
>
> On Dec 16, 2010, at 11:00 PM, prothero wrote:
>
> I had a similar hack happen. I had about 7 comments on a blog, in Russian,
> from an anonymous user. I have permission set so only registered users can
> make comments. Hmmm... I deleted them, but wonder what I should do to stop
> this in the future. I did set capcha so that comments require it. Drupal
> 6.19.
> Regards,
> Bill
>
> William A. Prothero
> http://earthednet.org/
>
>
>
> On Dec 16, 2010, at 9:32 PM, Shai Gluskin wrote:
>
> Hi gang,
>
> The author and URL of an anonymous comment was changed about three months
> after the comment was originally posted. The change happened last week. The
> new name was in Chinese and the URL is to a Chinese web site. The content of
> the comment was not changed.
>
> I've never had anything like that happen before. After I discovered this I
> changed user/1 pw (that is the only account on the site with
> admin privileges).
>
> There is no other evidence of other damage at the site that I found in the
> wake of this discovery.
>
> (Site was using 6.19 at the time of the breach).
>
> I'm stumped. Ideas anyone?
>
> Shai
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>

-- 
-- 
--
Steve Power
Principal Consultant
Mobile: +44 (0) 7747 027 243
Fax: +44 (0)160 421 2871
Skype: steev_initsix
www.initsix.co.uk :: Initsix Heavy Engineering Limited
--
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. Any views or
opinions expressed are solely those of the author and do not necessarily
represent those of Initsix Heavy Engineering Limited.
If you are not the intended recipient of this email, you must neither take
any action based upon its contents, nor copy or show it to anyone.
Please contact the sender if you believe you have received this email in
error.

Initsix Heavy Engineering Limited
Registered in the UK: 5036938
Registered Address: 243 Kettering Road, Northampton, NN2 7DU, England.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20101217/0fcc7056/attachment.html 