Thanks for feedback, esp. to Steve who had some fun excavating the malicious PHP code layer by layer.

News (and some answers to various points in this thread):

The site got hacked again today, despite all FTP password changes etc. Because (though that is of course an assumption, but a reasonable one) bootstrap.inc was read-only the hacker created bootstrap.php in the includes/ folder. Not sure there was a way to use it but still, it got created.

The logs were flooded with entries like this:
[27-Jan-2010 06:04:13] PHP Warning:  file_get_contents(http://95.168.177.240/spyder/796f757468666f72756d2e6f7267667266726f75725f776f726b676c6f62616c576f726c64.html) [<a href='function.file-get-
contents'>function.file-get-contents</a>]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in .../web/content/includes/bootstrap.php on line 1

I reloaded Drupal and modules again and blocked that IP range, etc.
No, no real custom modules, just a few views hooks.

So the question remains how did anyone managed to write in Drupal's directory.
This is a RackspaceCloud/Mosso installation; I've raised the issue with them -- in case they've got a hole in Apache, but I think that's unlikely.

I always use SSH (Port 22, WinSCP) but I am now investigating the possibility of some of my clients using insecure FTP, which of course would be a very likely attack vector.
(It may be a work of a virus but it's hard to say it's Gumblar, as I assume the PHP code cared for redirect based on referer, so not the iframe solution.)

Any further ideas are of course appreciated. And those on RackspaceCloud, check your bootstrap.inc files today.

vacilando / Tomáš




On Wed, Jan 27, 2010 at 15:43, Khalid Baheyeldin <kb@2bits.com> wrote:
Yes, but you don't

On Wed, Jan 27, 2010 at 9:35 AM, Nilesh Govindarajan <lists@itech7.com> wrote:
On 01/27/2010 08:01 PM, Gerhard Killesreiter wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adam Gregory schrieb:
This is more a server security issue rather than a Drupal one. I've seen
this happen with Drupal, Joomla, Wordpress and custom PHP code. It
really most likely means that access to the server/host was compromised
at some point.

There are lost of things that can be done to prevent this like
chmod/own-ing your file system correctly(As Gerhard touched on). This is
also a good reason to use SFTP rather then FTP as passwords in SFTP are
sent encrypted and FTP are not leaving them open to a *man-in-the-middle
attack.*

People still using FTP in 2010 should be shot on sight.

Cheers,
       Gerhard

*ahem*

Public mirrors do use them ?

FTP is good if you can configure it properly. It can be a big bug in the security as happened in this case if not configured properly :)

Yes, but public mirrors do not require passwords. What Gerhard is talking
about is uploading stuff to your site via an FTP account with a user name
and password.
--
Khalid M. Baheyeldin
2bits.com, Inc.
http://2bits.com
Drupal optimization, development, customization and consulting.
Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
Simplicity is the ultimate sophistication. --   Leonardo da Vinci