In addition to updating core and and contributed modules, I'd look at how permissions are set up too.
Since i don't update from the admin panel, the only files that can be added or changed are in /sites/default/files. You could probably make this harder to figure out by changing the names a bit.

I run apache webserver under user 'apache2' and giving write permissions only in those directories. The other files are owned by a user and a team group account.

I wonder if you could do some more magic by not letting *.php files in /sites/default/files be run but downloaded only?

--
-Don Pickerel-
Fane Software


On 10/29/2014 3:17 AM, Ahilan Rajan wrote:

Hi,

I had installed drupal 7.21 to run a simple website on my server. All
seemed well till one day last week I started getting huge amount of
spam emails from the server which was hosting the website.

On further analysis of the postfix mail queue on the server, I found
all the emails were generated by TWO php files (css76.php in the
modules/panels/js directory and session.php in the
sites/all/libraries/jquery.cycle directory) . These two files were
NEWLY created/injected files and seemed bogus containing a number of
symbols along with a base64_decode return statement.

Clearly my drupal setup had been hacked and someone had successfully
injected these files to send spam email (amongst other things I
presume)

I shutdown the site, installed Security Review and Hacked modules and
carried out their recommendations and also checked my file permissions
via recommended scripts.

However I am still not sure what the entry point for this hack was in
my setup and whether I am fully secure yet in this setup. Any
suggestions or points in this regard would be highly appreciated.

thanks
Drupal Newbie

--

--
-Don Pickerel-
Fane Software