Our drupal system was recently hacked with the PsychoPhobia Backdoor exploit and I am looking for suggestions on the best way to get back up and secure.
Our hosting company gave us this from the web logs:
[16/Jul/2005:18:37:15 -0400] "POST /xmlrpc.php HTTP/1.1" 200 25 "-" "-"
There is apparently a known vulnerability in XML-RPC that made this possible. The sysadmin gave us the following instructions:
The archived files will be made available for you to download some time later today. However, you would not want to upload the files back to the server, as they are suspect, UNLESS you have done a full security audit on the files to ensure their integrity. Better yet, is to restore the site from known "pristine" backups that were not on the web server, such as local backups on your local computer. ... "XML-RPC for PHP XML-RPC for PHP 1.1.1" is listed as not vulnerable.
We could not find a version number on the xmlrpc PHP module on your site, but it would appear that it is not version 1.1.1.
When you have access to your site again, you will need to use the non-vulnerable version of XML-RPC when restoring the site.
Two questions for the helpful folks on this list:
a) Our version of Drupal was about 1.5 years old. Will the new version prevent this sort of thing? Do we need to install a different version of PHP, or will the files that need updating be in the Drupal package?
b) In any case we will take the "opportunity" to install the latest version of Drupal. We do not have a "pristine" local backup. Is there a painless and *secure* way to transfer the content from the old site (remember, our version is about 1.5 years old)? Can we be sure we're not transferring any infected stuff if we copy the data from the old mysql database?
Many thanks,
-David
Hi, Well, this exploit has been commented out a few weeks ago, you can download Drupal 4.6.2 there http://drupal.org/drupal-4.6.2 it will prevent this bug
Regarding the datas from MySQL, I don't think there's any problem with it, but maybe someone can confirm. The exploit was made through XML-RPC file but I don't think any "corrupted data" should be inserted in DB.
Regards
Nicolas
And this is a very basic question, but what is the best way to copy over the database files? Is there a file I need to copy, or a mysql command to issue? Thank you, David
On Jul 18, 2005, at 10:46 AM, Nicolas Tostin wrote:
Hi, Well, this exploit has been commented out a few weeks ago, you can download Drupal 4.6.2 there http://drupal.org/drupal-4.6.2 it will prevent this bug
Regarding the datas from MySQL, I don't think there's any problem with it, but maybe someone can confirm. The exploit was made through XML-RPC file but I don't think any "corrupted data" should be inserted in DB.
Regards
Nicolas
And this is a very basic question, but what is the best way to copy over the database files? Is there a file I need to copy, or a mysql command to issue? Thank you, David
What do you mean by database files ? Is it a dump you have ? If it's the case, i suggest using something like "mysql -u USER -p DBNAME < dump.sql"
On Mon, 18 Jul 2005, Dan Baum wrote:
Two questions for the helpful folks on this list:
a) Our version of Drupal was about 1.5 years old. Will the new version
So most likely it was 4.4.
prevent this sort of thing?
Yes.
Do we need to install a different version of PHP, or will the files that need updating be in the Drupal package?
Drupal
b) In any case we will take the "opportunity" to install the latest version of Drupal. We do not have a "pristine" local backup. Is there a painless and *secure* way to transfer the content from the old site (remember, our version is about 1.5 years old)?
You should do the transfer as follows:
put your database backup into a db Install Drupal 4.5 locally with that db upgrade the db install Drupal 4.6 upgrade
Can we be sure we're not transferring any infected stuff if we copy the data from the old mysql database?
You never can be sure.
If you were running 4.4, then only nodes of type page and book were allowed to contain php code. You need to check that no node contains php that somebody else put in there. This could possibly constitute a back door to your Drupal install and thus your server.
Cheers, Gerhard
When I subscribed a few days ago, I noticed that there is a form at http://drupal.org/mailing-lists (last part) which submits subscriptions, assumingly to the mailman interface. This is pretty useful. Does anyone have some pointers on how to do this?
If you use a hosting company with CPanel you can auto configure to set up your own lists.
Rob
----- Original Message ----- From: "Taran Rampersad" cnd@knowprose.com To: drupal-support@drupal.org Sent: Monday, July 18, 2005 12:13 PM Subject: [drupal-support] Form method for subscribing to multiple emaillists?
When I subscribed a few days ago, I noticed that there is a form at http://drupal.org/mailing-lists (last part) which submits subscriptions, assumingly to the mailman interface. This is pretty useful. Does anyone have some pointers on how to do this?
-- Taran Rampersad Presently in: Georgetown, Guyana cnd@knowprose.com
http://www.knowprose.com http://www.easylum.net http://www.digitaldivide.net/profile/Taran
"Criticize by creating." — Michelangelo
-- [ Drupal support list | http://lists.drupal.org/ ]
I don't think you understand. I want the capability for users to be able to subscribe to more than one email list through a form on the server. This should be a simple CGI script, as it appears to be on the Drupal page I pointed to. The CGI itself should then do the posting of the information to Mailman to do everything else.
Having never done it myself, I thought I would ask while hacking other things. :-)
Rob wrote:
If you use a hosting company with CPanel you can auto configure to set up your own lists.
Rob
----- Original Message ----- From: "Taran Rampersad" cnd@knowprose.com To: drupal-support@drupal.org Sent: Monday, July 18, 2005 12:13 PM Subject: [drupal-support] Form method for subscribing to multiple emaillists?
When I subscribed a few days ago, I noticed that there is a form at http://drupal.org/mailing-lists (last part) which submits subscriptions, assumingly to the mailman interface. This is pretty useful. Does anyone have some pointers on how to do this?
On Jul 19, 2005, at 09:39, Taran Rampersad wrote:
I don't think you understand. I want the capability for users to be able to subscribe to more than one email list through a form on the server. This should be a simple CGI script, as it appears to be on the Drupal page I pointed to. The CGI itself should then do the posting of the information to Mailman to do everything else.
I don't know how this particular form works, but the general idea is quite easy with Mailman. For each checked list, generate a mail to listname-join@example.com that appears to be From: the subscriber's email address. The subscriber will get the standard confirmation email to make sure people are not maliciously subscribed by others.
Mailman is a software program for mailing lists, it is installed on a server like Drupal is.
Rob
----- Original Message ----- From: "Taran Rampersad" cnd@knowprose.com To: drupal-support@drupal.org Sent: Monday, July 18, 2005 7:39 PM Subject: Re: [drupal-support] Form method for subscribing tomultiple emaillists?
I don't think you understand. I want the capability for users to be able to subscribe to more than one email list through a form on the server. This should be a simple CGI script, as it appears to be on the Drupal page I pointed to. The CGI itself should then do the posting of the information to Mailman to do everything else.
Having never done it myself, I thought I would ask while hacking other things. :-)
Rob wrote:
If you use a hosting company with CPanel you can auto configure to set up your own lists.
Rob
----- Original Message ----- From: "Taran Rampersad" cnd@knowprose.com To: drupal-support@drupal.org Sent: Monday, July 18, 2005 12:13 PM Subject: [drupal-support] Form method for subscribing to multiple emaillists?
When I subscribed a few days ago, I noticed that there is a form at http://drupal.org/mailing-lists (last part) which submits subscriptions, assumingly to the mailman interface. This is pretty useful. Does anyone have some pointers on how to do this?
-- Taran Rampersad Presently in: Georgetown, Guyana cnd@knowprose.com
http://www.knowprose.com http://www.easylum.net http://www.digitaldivide.net/profile/Taran
"Criticize by creating." — Michelangelo
-- [ Drupal support list | http://lists.drupal.org/ ]
Very good, Rob. We're making progress.
Now can we fast forward to the actual CGI/form submission which I asked about, or is there more that you wish to tell me about that I already know? :-) If you can't answer about the CGI Script and form submission, that's OK. I'll do it myself. I had just hoped that someone had a quick answer. Apparently you do not have that answer. If you want, once I can dedicate some time to it and get it working I will tell you how to do it.
Rob wrote:
Mailman is a software program for mailing lists, it is installed on a server like Drupal is.
Rob
----- Original Message ----- From: "Taran Rampersad" cnd@knowprose.com To: drupal-support@drupal.org Sent: Monday, July 18, 2005 7:39 PM Subject: Re: [drupal-support] Form method for subscribing tomultiple emaillists?
I don't think you understand. I want the capability for users to be able to subscribe to more than one email list through a form on the server. This should be a simple CGI script, as it appears to be on the Drupal page I pointed to. The CGI itself should then do the posting of the information to Mailman to do everything else.
Having never done it myself, I thought I would ask while hacking other things. :-)
I am sorry that I responded with the wrong understanding of what you were asking.
Rob
----- Original Message ----- From: "Taran Rampersad" cnd@knowprose.com To: drupal-support@drupal.org; "Rob" rob@rwneill.com Sent: Monday, July 18, 2005 10:46 PM Subject: Re: [drupal-support] Form method for subscribing tomultiple emaillists?
Very good, Rob. We're making progress.
Now can we fast forward to the actual CGI/form submission which I asked about, or is there more that you wish to tell me about that I already know? :-) If you can't answer about the CGI Script and form submission, that's OK. I'll do it myself. I had just hoped that someone had a quick answer. Apparently you do not have that answer. If you want, once I can dedicate some time to it and get it working I will tell you how to do it.
Rob wrote:
Mailman is a software program for mailing lists, it is installed on a server like Drupal is.
Rob
----- Original Message ----- From: "Taran Rampersad" cnd@knowprose.com To: drupal-support@drupal.org Sent: Monday, July 18, 2005 7:39 PM Subject: Re: [drupal-support] Form method for subscribing tomultiple emaillists?
I don't think you understand. I want the capability for users to be able to subscribe to more than one email list through a form on the server. This should be a simple CGI script, as it appears to be on the Drupal page I pointed to. The CGI itself should then do the posting of the information to Mailman to do everything else.
Having never done it myself, I thought I would ask while hacking other things. :-)
-- Taran Rampersad Presently in: Georgetown, Guyana cnd@knowprose.com
http://www.knowprose.com http://www.easylum.net http://www.digitaldivide.net/profile/Taran
"Criticize by creating." — Michelangelo
Rob wrote:
I am sorry that I responded with the wrong understanding of what you were asking.
Rob
Bah, it happens. Mailing lists suck about that. I just have to find/write a script which sends the submission to mailman by pretending to send the emails from the subscriber's address.
Taran Rampersad wrote:
Rob wrote:
I am sorry that I responded with the wrong understanding of what you were asking.
Rob
Bah, it happens. Mailing lists suck about that. I just have to find/write a script which sends the submission to mailman by pretending to send the emails from the subscriber's address.
You could take a look at the Drupal ezmlm.module in the contributions repository. It is designed to work with EZMLM and not Mailman, but you could hack it to work with Mailman, I believe. (I am not familiar with either EZMLM or Mailman as other than a subscribed user on lists managed by them, i.e. I've never managed such a list using those softwares.)
-- Chris Johnson
On 18 Jul 2005, at 10:03 AM, Gerhard Killesreiter wrote:
On Mon, 18 Jul 2005, Dan Baum wrote:
Can we be sure we're not transferring any infected stuff if we copy the data from the old mysql database?
You never can be sure.
If you were running 4.4, then only nodes of type page and book were allowed to contain php code. You need to check that no node contains php that somebody else put in there. This could possibly constitute a back door to your Drupal install and thus your server.
Cheers, Gerhard
Also check - no database users added; permissions are minimal - make sure that no stored procedure/functions have been added if you are using MySQL 5.
Regards, Djun
I'd like to list all terms in one particular vocabulary. Is there a quick way to do this? Like in /taxonomy/term/1 but something like /taxonomy/vocabulary/1?
I know I can use directory or taxonomy_dhtml to list the entire taxonomy. But all I want is to list one particular vocabulary with its terms.
Is there any module that does this.
Someone had the courtesy to send me a snippet of code that would do it, but I lost that mail.
Thanks
As I try to recover our site from the Psychophobia hack, I am following Gerhard's suggestions for recovering the database. From the table structure it looks like we were using 4.3. However, when I run the database upgrade script, I get a blank screen:
1) I installed Drupal 4.5.4. 2) I modified the conf.php file so that it pointed to our old database. 3) I loaded http://www.site.org/drupaldir/update.php. 4) I followed the notes for adding new tables and fields, and made the modifications successfully through phpmyadmin. 5) I clicked on the "run the database script" link. (http:// www.site.org/drupaldir/update.php?op=update) 6) A blank screen came up.
7) I then double-checked the conf.php file to make sure $db_url was pointing to the right place. It was.
8) To test the rest of my configuration I set $db_url to a different database that had a freshly loaded version of the 4.5.4 database.mysql, and it worked.
So the problem seems to be with my database and/or the update.php script. Any ideas?
Thanks you.
On Jul 18, 2005, at 1:03 PM, Gerhard Killesreiter wrote:
put your database backup into a db Install Drupal 4.5 locally with that db upgrade the db install Drupal 4.6 upgrade
On Wed, 20 Jul 2005 sunblockster@gmail.com wrote:
As I try to recover our site from the Psychophobia hack, I am following Gerhard's suggestions for recovering the database. From the table structure it looks like we were using 4.3. However, when I run the database upgrade script, I get a blank screen:
- I installed Drupal 4.5.4.
I think you should have been first updateing to 4.4 then 4.5. I can make a 4.4 tarball available.
Cheers, Gerhard
-
Carlos Miranda Levy -
Chris Johnson -
Dan Baum -
Gerhard Killesreiter -
Jim Tittsler -
Nicolas Tostin -
puregin -
Rob -
sunblockster@gmail.com
-
Taran Rampersad