<div class="gmail_quote">On Thu, Apr 15, 2010 at 12:58 PM, David <span dir="ltr"><<a href="mailto:david@hartster.org">david@hartster.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
(Not sure if there's a better place to ask this)<br>
<br>
My Drupal site was hacked recently. index.php was modified at the top<br>
to include another file which was a static page with a lot of nonsense<br>
about Cialis but also had a nasty <?php<br>
eval(gzinflate(base64_decode([string])) ?> at the bottom.<br>
<br>
I don't know whether it was a Drupal issue: I was running 6.14 and had<br>
a couple of modules that were one step behind on upgrading, but<br>
nothing that seemed too dangerous. All vistiors to my site are<br>
anonymous and can't upload any files etc.<br>
<br>
My site is hosted on Rackspace Cloud Sites and I use SFTP. I'm not<br>
aware of anything dodgy on my local system (Kaspersky doesn't report<br>
anything).<br>
<br>
I've edited index.php and deleted a few files I have found on the site.<br>
<br>
I've changed my FTP password.<br>
<br>
Is there anything I can do on a production site to make sure this<br>
doesn't happen again? Without knowing where the attack came from I'm a<br>
bit concerned. Would copying index.php to (say) front.php, get<br>
htaccess to use that as the default page, and create a dummy index.php<br>
fool an automated attack? Probably not.<br>
<br>
Alternatively, does anyone know of a good monitoring service that<br>
would text me if a page on a site changes, so at least I know<br>
straightaway if this happens again, rather than it being up over a<br>
weekend.<br>
<font color="#888888">--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br>
</font></blockquote></div><br>So many things to check but first - what hosting environment are you on? Shared, private virtual, dedicated?<br><br>Can you get the output of last | less?<br><br>Is your system log full of failed login attempts?<br>
<br>What are the permissions on the "document root" directory?<br clear="all"><br>-- <br>Rev. Jim Tarvid, PCA<br>Galax, Virginia<br><a href="http://ls.net">http://ls.net</a><br><a href="http://drupal.ls.net">http://drupal.ls.net</a><br>
<a href="http://crossleft.org">http://crossleft.org</a><br><br><br>