As others have pointed out, they likely have not applied the security fixes released almost a month ago. I'm also wondering: why were these sites running such that the web server had write access to index.php? On 7/25/05, Bob Doyle <bobdoyle@skybuilders.com> wrote:
Hi all,
Quite a few Drupal sites appear to have been hit by this hack in the last few days?
Linux servicesb.skybuilders.com 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),503(skyapp)
Nothing Deleted
They only replace the main index.php file and touch a couple of images folders (without altering or adding images).
Is there a fix to prevent this happening again?
-- Bob Doyle Editor In Chief, CMS Review - http://www.cmsreview.com Technology Adviser, CM Pros - http://www.cmprofessionals.org CEO, skyBuilders - http://www.skybuilders.com 77 Huron Avenue Cambridge, MA 02138 617-876-5678