[support] Drupal site hacked - new php files injected

Wed Oct 29 12:39:03 UTC 2014

First thing is to figure out how they got those files on there. It could 
have happened through a Drupal security hole (especially since you are 
running such an outdated version), but more than not this happens 
through someone gaining shell access. If you still got the files on the 
server, look at the creation time of the files, then check your access 
logs (/var/log/secure on CentOS/RHEL, /var/log/auth.log on Ubuntu) and 
see if there were any logins around that time. Just to be safe I would 
also change any passwords that have access to those files, including root.

One thing I always recommend when people run their own server is to 
install Fail2Ban. It's available in the repository of most 
distributions, so can easily be installed with yum or apt-get. Fail2Ban 
detects invalid login attempts to various services, including SSH. If X 
amounts of failed logins are attempted in Y minutes by a particular IP, 
then it bans that IP in the firewall for Z minutes.

Also make sure the permissions on your file system are properly set. 
Everything should have read permissions to PHP and the webserver. The 
only files/directory that should be writable by PHP and Webserver is the 
sites/default/files (or wherever your files upload to).

The final thing is to make sure you keep Drupal up to date. Drupal 7.21 
was released on March 7, 2013. Since then you have had some very serious 
security updates you have missed. Those include 7.24, which put 
protections in to prevent script execution in the files and temp files 
directories, and 7.32, which fixed a SQL injection problem and was one 
of the most serious security problems in years. Also make sure your 
contributed modules are kept up to date.

I know keeping things up to date can seem tedious, but it is of vital 
importance. My suggestion is to set your Drupal installations to email 
you when security updates are available. To make updating simpler, 
install Drush and update via that.

One final thing, not Drupal. Since this was sending out spam emails, 
there is now a good chance that your server is blacklisted by a bunch of 
email services. You can check using this tool:

http://mxtoolbox.com/blacklists.aspx

If you did get blacklisted by some services, then you will have to 
contact each one and find out their procedure to get yourself removed. 
Usually it's not that bad. AOL is probably the worst one to deal with.

Jamie Holly
http://hollyit.net

On 10/29/2014 3:17 AM, Ahilan Rajan wrote:
> Hi,
>
> I had installed drupal 7.21 to run a simple website on my server. All
> seemed well till one day last week I started getting huge amount of
> spam emails from the server which was hosting the website.
>
> On further analysis of the postfix mail queue on the server, I found
> all the emails were generated by TWO php files (css76.php in the
> modules/panels/js directory and session.php in the
> sites/all/libraries/jquery.cycle directory) . These two files were
> NEWLY created/injected files and seemed bogus containing a number of
> symbols along with a base64_decode return statement.
>
> Clearly my drupal setup had been hacked and someone had successfully
> injected these files to send spam email (amongst other things I
> presume)
>
> I shutdown the site, installed Security Review and Hacked modules and
> carried out their recommendations and also checked my file permissions
> via recommended scripts.
>
> However I am still not sure what the entry point for this hack was in
> my setup and whether I am fully secure yet in this setup. Any
> suggestions or points in this regard would be highly appreciated.
>
> thanks
> Drupal Newbie
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20141029/ad2c18b4/attachment.html 