[support] Drupal site hacked - new php files injected
Jamie Holly
hovercrafter at earthlink.net
Wed Oct 29 12:39:03 UTC 2014
First thing is to figure out how they got those files on there. It could
have happened through a Drupal security hole (especially since you are
running such an outdated version), but more than not this happens
through someone gaining shell access. If you still got the files on the
server, look at the creation time of the files, then check your access
logs (/var/log/secure on CentOS/RHEL, /var/log/auth.log on Ubuntu) and
see if there were any logins around that time. Just to be safe I would
also change any passwords that have access to those files, including root.
One thing I always recommend when people run their own server is to
install Fail2Ban. It's available in the repository of most
distributions, so can easily be installed with yum or apt-get. Fail2Ban
detects invalid login attempts to various services, including SSH. If X
amounts of failed logins are attempted in Y minutes by a particular IP,
then it bans that IP in the firewall for Z minutes.
Also make sure the permissions on your file system are properly set.
Everything should have read permissions to PHP and the webserver. The
only files/directory that should be writable by PHP and Webserver is the
sites/default/files (or wherever your files upload to).
The final thing is to make sure you keep Drupal up to date. Drupal 7.21
was released on March 7, 2013. Since then you have had some very serious
security updates you have missed. Those include 7.24, which put
protections in to prevent script execution in the files and temp files
directories, and 7.32, which fixed a SQL injection problem and was one
of the most serious security problems in years. Also make sure your
contributed modules are kept up to date.
I know keeping things up to date can seem tedious, but it is of vital
importance. My suggestion is to set your Drupal installations to email
you when security updates are available. To make updating simpler,
install Drush and update via that.
One final thing, not Drupal. Since this was sending out spam emails,
there is now a good chance that your server is blacklisted by a bunch of
email services. You can check using this tool:
http://mxtoolbox.com/blacklists.aspx
If you did get blacklisted by some services, then you will have to
contact each one and find out their procedure to get yourself removed.
Usually it's not that bad. AOL is probably the worst one to deal with.
Jamie Holly
http://hollyit.net
On 10/29/2014 3:17 AM, Ahilan Rajan wrote:
> Hi,
>
> I had installed drupal 7.21 to run a simple website on my server. All
> seemed well till one day last week I started getting huge amount of
> spam emails from the server which was hosting the website.
>
> On further analysis of the postfix mail queue on the server, I found
> all the emails were generated by TWO php files (css76.php in the
> modules/panels/js directory and session.php in the
> sites/all/libraries/jquery.cycle directory) . These two files were
> NEWLY created/injected files and seemed bogus containing a number of
> symbols along with a base64_decode return statement.
>
> Clearly my drupal setup had been hacked and someone had successfully
> injected these files to send spam email (amongst other things I
> presume)
>
> I shutdown the site, installed Security Review and Hacked modules and
> carried out their recommendations and also checked my file permissions
> via recommended scripts.
>
> However I am still not sure what the entry point for this hack was in
> my setup and whether I am fully secure yet in this setup. Any
> suggestions or points in this regard would be highly appreciated.
>
> thanks
> Drupal Newbie
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20141029/ad2c18b4/attachment.html
More information about the support
mailing list