[support] Drupal site hacked - new php files injected

Naveen Valecha er.naveenvalecha at gmail.com
Wed Oct 29 09:12:56 UTC 2014 

For more about securing file permissions
https://www.drupal.org/node/244924

On Wed, Oct 29, 2014 at 1:25 PM, Don <donald at fane.com> wrote:

>  In addition to updating core and and contributed modules, I'd look at
> how permissions are set up too.
> Since i don't update from the admin panel, the only files that can be
> added or changed are in /sites/default/files. You could probably make this
> harder to figure out by changing the names a bit.
>
> I run apache webserver under user 'apache2' and giving write permissions
> only in those directories. The other files are owned by a user and a team
> group account.
>
> I wonder if you could do some more magic by not letting *.php files in
> /sites/default/files be run but downloaded only?
>
> --
> -Don Pickerel-
> Fane Software
>
>
> On 10/29/2014 3:17 AM, Ahilan Rajan wrote:
>
>  Hi,
>
> I had installed drupal 7.21 to run a simple website on my server. All
> seemed well till one day last week I started getting huge amount of
> spam emails from the server which was hosting the website.
>
> On further analysis of the postfix mail queue on the server, I found
> all the emails were generated by TWO php files (css76.php in the
> modules/panels/js directory and session.php in the
> sites/all/libraries/jquery.cycle directory) . These two files were
> NEWLY created/injected files and seemed bogus containing a number of
> symbols along with a base64_decode return statement.
>
> Clearly my drupal setup had been hacked and someone had successfully
> injected these files to send spam email (amongst other things I
> presume)
>
> I shutdown the site, installed Security Review and Hacked modules and
> carried out their recommendations and also checked my file permissions
> via recommended scripts.
>
> However I am still not sure what the entry point for this hack was in
> my setup and whether I am fully secure yet in this setup. Any
> suggestions or points in this regard would be highly appreciated.
>
> thanks
> Drupal Newbie
>
>
>
>
>
> --
>
> --
> -Don Pickerel-
> Fane Software
>
>
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>



-- 
Naveen valecha
Web : http://valechatech.com
Twitter: http://twitter.com/NaveenValechaNV
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20141029/a980ad22/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Fane-th.png
Type: image/png
Size: 18361 bytes
Desc: not available
Url : http://lists.drupal.org/pipermail/support/attachments/20141029/a980ad22/attachment-0001.png

More information about the support mailing list