<div dir="ltr">For more about securing file permissions<br><a href="https://www.drupal.org/node/244924">https://www.drupal.org/node/244924</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Oct 29, 2014 at 1:25 PM, Don <span dir="ltr"><<a href="mailto:donald@fane.com" target="_blank">donald@fane.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>In addition to updating core and and
contributed modules, I'd look at how permissions are set up too.<br>
Since i don't update from the admin panel, the only files that can
be added or changed are in /sites/default/files. You could
probably make this harder to figure out by changing the names a
bit.<br>
<br>
I run apache webserver under user 'apache2' and giving write
permissions only in those directories. The other files are owned
by a user and a team group account.<br>
<br>
I wonder if you could do some more magic by not letting *.php
files in /sites/default/files be run but downloaded only?<br>
<br>
-- <br>
-Don Pickerel-<br>
Fane Software<br>
<img alt="" src="cid:part1.04040308.02020105@fane.com" height="70" width="66"><div><div class="h5"><br>
<br>
On 10/29/2014 3:17 AM, Ahilan Rajan wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">Hi,<br>
<br>
I had installed drupal 7.21 to run a simple website on my
server. All<br>
seemed well till one day last week I started getting huge
amount of<br>
spam emails from the server which was hosting the website.<br>
<br>
On further analysis of the postfix mail queue on the server, I
found<br>
all the emails were generated by TWO php files (css76.php in
the<br>
modules/panels/js directory and session.php in the<br>
sites/all/libraries/jquery.cycle directory) . These two files
were<br>
NEWLY created/injected files and seemed bogus containing a
number of<br>
symbols along with a base64_decode return statement.<br>
<br>
Clearly my drupal setup had been hacked and someone had
successfully<br>
injected these files to send spam email (amongst other things
I<br>
presume)<br>
<br>
I shutdown the site, installed Security Review and Hacked
modules and<br>
carried out their recommendations and also checked my file
permissions<br>
via recommended scripts.<br>
<br>
However I am still not sure what the entry point for this hack
was in<br>
my setup and whether I am fully secure yet in this setup. Any<br>
suggestions or points in this regard would be highly
appreciated.<br>
<br>
thanks<br>
Drupal Newbie<br>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><div>-- <br>
<br>
<div>-- <br>
-Don Pickerel-<br>
Fane Software<br>
<img alt="" src="cid:part1.04040308.02020105@fane.com" height="70" width="66"><br>
</div>
</div>
</font></span></div>
<br>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Naveen valecha<br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Web : <a href="http://valechatech.com/" target="_blank">http://valechatech.com</a><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Twitter: <a href="http://twitter.com/NaveenValechaNV" target="_blank">http://twitter.com/NaveenValechaNV</a></div></div>
</div>