Sounds to me like Gumblar Virus see this link http://blog.scansafe.com/journal/2009/11/18/where-to-look-for-gumblar-backdo... David A. Shaver D. A. Shaver Web Design Web Page Design for Small Business www.dashaver.com PO Box 594 Galesburg,IL 61402-0594 309.343.0027 On Wed, Jan 27, 2010 at 8:22 AM, Ken Rickard <agentrickard@gmail.com> wrote:
I had something similar happen on WordPress. It was a simple FTP (non-secure) password sniffer watching network traffic to the host. My site would get hacked within twenty minutes of making a change via FTP.
I finally forced the hosting provider to support SFTP for my account.
On Wed, Jan 27, 2010 at 7:14 AM, Adam Gregory <arcaneadam@gmail.com> wrote:
This is more a server security issue rather than a Drupal one. I've seen this happen with Drupal, Joomla, Wordpress and custom PHP code. It really most likely means that access to the server/host was compromised at some point.
There are lost of things that can be done to prevent this like chmod/own-ing your file system correctly(As Gerhard touched on). This is also a good reason to use SFTP rather then FTP as passwords in SFTP are sent encrypted and FTP are not leaving them open to a man-in-the-middle attack.
Ultimately though it's a good example of how Drupal can only go so far in keeping itself secure but there are still plenty of other ways out side Drupals area of responsibility that your site can be compromised. ----- Adam A. Gregory Drupal Developer & Consultant Web: AdamAGregory.com Twitter: twitter.com/adamgregory Phone: 910.808.1717 Cell: 706.761.7375
On Wed, Jan 27, 2010 at 6:53 AM, Fred Jones <fredthejonester@gmail.com> wrote:
I also wonder whether Drupal could be adjusted so as to automatically set file bootstrap.inc, and perhaps other critical ones, as read-only. So far it is done only with settings.php file.
Well if they did it via FTP, that wouldn't help...
F
-- Ken Rickard agentrickard@gmail.com http://ken.therickards.com