I'm hosting a few Drupal 5 & 6 installs on Rackspace Cloud Servers; so far, no problems, but I'll definitely be on alert now. Also FTR, I've seen a similar (but not quite identical) sort of attack on a xcart installation on another host. Thanks, Matt On Wed, Jan 27, 2010 at 8:56 AM, Steve Power <steev@initsix.co.uk> wrote:
http://la-samhna.de/samhain/ if you have the resources to run it (its complex)
Or, an afternoons work should have something nice going on if you use tripwire http://sourceforge.net/projects/tripwire/
Not sure how to do this on a shared host tho.
On Wed, Jan 27, 2010 at 4:41 PM, Steven Jones <steven.jones@computerminds.co.uk> wrote:
Is it a good security tip to monitor the integrity of Drupal sources by using MD5 hashes on the files ? Is there a known/efficient way to achieve this ?
http://drupal.org/project/md5check
But this is a drupal module, and thus pretty useless, because it is part of the system that you're looking to stop being modified. Better to just hash some files on cron or something if you care to leave your drupal installation writeable by the web server.
Regards Steven Jones ComputerMinds ltd - Perfect Drupal Websites
Phone : 024 7666 7277 Mobile : 07702 131 576 Twitter : darthsteven http://www.computerminds.co.uk
2010/1/27 Nicolas Tostin <nicolast@logis.com.mx>:
Is it a good security tip to monitor the integrity of Drupal sources by using MD5 hashes on the files ? Is there a known/efficient way to achieve this ?
----- Original Message ----- From: "Laura" <pinglaura@gmail.com> To: <development@drupal.org> Sent: Wednesday, January 27, 2010 9:53 AM Subject: Re: [development] Fully patched site hacked and cloaked
On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote:
Were you able to determine the attach vector that was used to be able to modify bootstrap.inc?
I just saw this performed on a D5 site. Bootstrap.inc was indeed altered, an additional system.php file was inserted in the modules folder, and the pernicious (drug) website files were inserted into the cgi folder *above* the webroot. The code was sniffing passwords. Several files contained nothing but hashes.
I mention this because if we see a pattern across many sites, this entire conversation should move to security reports offline.
Laura
-- -- -- Steve Power Principal Consultant Mobile: +44 (0) 7747 027 243 Skype: steev_initsix www.initsix.co.uk :: Initsix Heavy Engineering Limited --