[support] support Digest, Vol 142, Issue 4

[Roger]

Hi Ahilan
We had similar in Drupal 6 and early and recent Drupal 7 with one ISP. 
The attacks seemed to be because root access to cPanel or through ssd 
terminal access was obtained permitting a hacker into the whole Drupal 
system. Any passwords typed in manually are very vulnerable.

User name and passwords are easy to grab on the internet and ISPs can be 
lax while professing top level security.
Very long convoluted user names and passwords, very difficult to type 
manually need to be copy and pasted. This has given us a modicome of 
security to date.
Users scream about having to copy and paste but it was easier for them 
to learn copy and paste than take the chance on bog awful passwords 
especially isp root/admin passwords. Our server admin access words are 
voluminous, convoluted and difficult to type accurately.

May I suggest,  keep a zipped copy of /sites folder and the database sql 
file in a /home/Backups directory, out of the /public_html directory 
system and do a new version of both once a month so at worst you only 
lose 1 month of data.

You can also create an entirely new Drupal install by installing the 
latest Drupal 7, rename it's /sites folder and copy the 
/home/Backup/sites.zip to the new drupal and extract it. Your new Drupal 
will be instantly useable and you can inspect the previous version code 
as you wish after you rename the /sites folder to make it unavailable.

We always have 2 Drupal installs on the system both with the same /sites 
folder but the second newer one is named something totally unrelated and 
meaningless and the sites folder also renamed to something meaningless 
so the fresh drupal site fails to serve until I allow it. I simply 
rename the original and change the fresh install and it's /sites folder 
to the original name to run the latest drupal.

Hope this helps
Roger


>> Hi,
>>
>> I had installed drupal 7.21 to run a simple website on my server. All
>> seemed well till one day last week I started getting huge amount of
>> spam emails from the server which was hosting the website.
>>
>> On further analysis of the postfix mail queue on the server, I found
>> all the emails were generated by TWO php files (css76.php in the
>> modules/panels/js directory and session.php in the
>> sites/all/libraries/jquery.cycle directory) . These two files were
>> NEWLY created/injected files and seemed bogus containing a number of
>> symbols along with a base64_decode return statement.
>>
>> Clearly my drupal setup had been hacked and someone had successfully
>> injected these files to send spam email (amongst other things I
>> presume)
>>
>> I shutdown the site, installed Security Review and Hacked modules and
>> carried out their recommendations and also checked my file permissions
>> via recommended scripts.
>>
>> However I am still not sure what the entry point for this hack was in
>> my setup and whether I am fully secure yet in this setup. Any
>> suggestions or points in this regard would be highly appreciated.
>>
>> thanks
>> Drupal Newbie
>>
>>
>> --
>> [ Drupal support list | http://lists.drupal.org/ ]
>>
>
>