(Not sure if there's a better place to ask this)
My Drupal site was hacked recently. index.php was modified at the top to include another file which was a static page with a lot of nonsense about Cialis but also had a nasty <?php eval(gzinflate(base64_decode([string])) ?> at the bottom.
I don't know whether it was a Drupal issue: I was running 6.14 and had a couple of modules that were one step behind on upgrading, but nothing that seemed too dangerous. All vistiors to my site are anonymous and can't upload any files etc.
My site is hosted on Rackspace Cloud Sites and I use SFTP. I'm not aware of anything dodgy on my local system (Kaspersky doesn't report anything).
I've edited index.php and deleted a few files I have found on the site.
I've changed my FTP password.
Is there anything I can do on a production site to make sure this doesn't happen again? Without knowing where the attack came from I'm a bit concerned. Would copying index.php to (say) front.php, get htaccess to use that as the default page, and create a dummy index.php fool an automated attack? Probably not.
Alternatively, does anyone know of a good monitoring service that would text me if a page on a site changes, so at least I know straightaway if this happens again, rather than it being up over a weekend.
I don't know whether it was a Drupal issue: I was running 6.14 and had a couple of modules that were one step behind on upgrading, but nothing that seemed too dangerous. All vistiors to my site are anonymous and can't upload any files etc.
Most probably your FTP account credentials were compromised. That's what I would guess. Or the server itself.
Is there anything I can do on a production site to make sure this doesn't happen again? Without knowing where the attack came from I'm a bit concerned. Would copying index.php to (say) front.php, get htaccess to use that as the default page, and create a dummy index.php fool an automated attack? Probably not.
Probably would actually. I'm not much of a hacker but I doubt they are that sophisticated.
Alternatively, does anyone know of a good monitoring service that would text me if a page on a site changes, so at least I know straightaway if this happens again, rather than it being up over a weekend.
http://acquia.com/ http://drupal.org/project/nagios
HTH
On Thu, Apr 15, 2010 at 10:58 AM, David david@hartster.org wrote:
(Not sure if there's a better place to ask this)
Please see http://drupal.org/node/213320
Regards, Greg
Hi,
I have been hosting drupal for nearly 4 years with no issues. Ofcourse my site was hacked, but due to some one hacked my security credentials from my desktop.
Upgrade your drupal to the latest one. Your server should be firewalled. APF should be ok. Block all the ports apart from the needed ones. Apply ssh key pair security.
Search online for linux security, lots of materials there.
On 15 April 2010 18:48, Greg Knaddison greg.knaddison@gmail.com wrote:
On Thu, Apr 15, 2010 at 10:58 AM, David david@hartster.org wrote:
(Not sure if there's a better place to ask this)
Please see http://drupal.org/node/213320
Regards, Greg
-- Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com Mastering Drupal | http://www.masteringdrupal.com -- [ Drupal support list | http://lists.drupal.org/ ]
On Thu, Apr 15, 2010 at 12:58 PM, David david@hartster.org wrote:
(Not sure if there's a better place to ask this)
My Drupal site was hacked recently. index.php was modified at the top to include another file which was a static page with a lot of nonsense about Cialis but also had a nasty <?php eval(gzinflate(base64_decode([string])) ?> at the bottom.
I don't know whether it was a Drupal issue: I was running 6.14 and had a couple of modules that were one step behind on upgrading, but nothing that seemed too dangerous. All vistiors to my site are anonymous and can't upload any files etc.
My site is hosted on Rackspace Cloud Sites and I use SFTP. I'm not aware of anything dodgy on my local system (Kaspersky doesn't report anything).
I've edited index.php and deleted a few files I have found on the site.
I've changed my FTP password.
Is there anything I can do on a production site to make sure this doesn't happen again? Without knowing where the attack came from I'm a bit concerned. Would copying index.php to (say) front.php, get htaccess to use that as the default page, and create a dummy index.php fool an automated attack? Probably not.
Alternatively, does anyone know of a good monitoring service that would text me if a page on a site changes, so at least I know straightaway if this happens again, rather than it being up over a weekend. -- [ Drupal support list | http://lists.drupal.org/ ]
So many things to check but first - what hosting environment are you on? Shared, private virtual, dedicated?
Can you get the output of last | less?
Is your system log full of failed login attempts?
What are the permissions on the "document root" directory?
-
Amala Singh -
David -
Fred Jones -
Greg Knaddison -
Jim Tarvid