On Fri, Dec 17, 2010 at 12:20 AM, Bill Fitzgerald bill@funnymonkey.com wrote:
- What roles have "administer comments" rights?
- Are there any VBO-based comments administration views on the site?
- How secure is the site's database? Is root access still available? If so,
is the password secure?
- Is phpMyAdmin installed on the site? That can be a weak spot.
- Do the Apache logs from the time of the breach show anything odd/curious ?
All sage advice and good questions.
Also, at the risk of stating the obvious, I'd strongly recommend creating a superuser role and retiring your UID1 account for everything but upgrades/updates.
I think it's not so obvious and not really useful. If the "superuser role" has the permission to "administer users" or "administer permissions" then any user in that role has the exact same permissions as UID1. The only difference is, as you state running update.php (in D7 that distinction is gone - anyone with the right permission can run update.php).
The idea that "uid1 = unsafe" is a security myth that needs to die. There are other more likely avenues of attack such as incorrectly configured input formats.
For those interested, you can test your input formats against security best practices by trying out http://drupal.org/project/security_review
Cheers, Greg