Hi Ahilan We had similar in Drupal 6 and early and recent Drupal 7 with one ISP. The attacks seemed to be because root access to cPanel or through ssd terminal access was obtained permitting a hacker into the whole Drupal system. Any passwords typed in manually are very vulnerable.
User name and passwords are easy to grab on the internet and ISPs can be lax while professing top level security. Very long convoluted user names and passwords, very difficult to type manually need to be copy and pasted. This has given us a modicome of security to date. Users scream about having to copy and paste but it was easier for them to learn copy and paste than take the chance on bog awful passwords especially isp root/admin passwords. Our server admin access words are voluminous, convoluted and difficult to type accurately.
May I suggest, keep a zipped copy of /sites folder and the database sql file in a /home/Backups directory, out of the /public_html directory system and do a new version of both once a month so at worst you only lose 1 month of data.
You can also create an entirely new Drupal install by installing the latest Drupal 7, rename it's /sites folder and copy the /home/Backup/sites.zip to the new drupal and extract it. Your new Drupal will be instantly useable and you can inspect the previous version code as you wish after you rename the /sites folder to make it unavailable.
We always have 2 Drupal installs on the system both with the same /sites folder but the second newer one is named something totally unrelated and meaningless and the sites folder also renamed to something meaningless so the fresh drupal site fails to serve until I allow it. I simply rename the original and change the fresh install and it's /sites folder to the original name to run the latest drupal.
Hope this helps Roger
Hi,
I had installed drupal 7.21 to run a simple website on my server. All seemed well till one day last week I started getting huge amount of spam emails from the server which was hosting the website.
On further analysis of the postfix mail queue on the server, I found all the emails were generated by TWO php files (css76.php in the modules/panels/js directory and session.php in the sites/all/libraries/jquery.cycle directory) . These two files were NEWLY created/injected files and seemed bogus containing a number of symbols along with a base64_decode return statement.
Clearly my drupal setup had been hacked and someone had successfully injected these files to send spam email (amongst other things I presume)
I shutdown the site, installed Security Review and Hacked modules and carried out their recommendations and also checked my file permissions via recommended scripts.
However I am still not sure what the entry point for this hack was in my setup and whether I am fully secure yet in this setup. Any suggestions or points in this regard would be highly appreciated.
thanks Drupal Newbie
-- [ Drupal support list | http://lists.drupal.org/ ]
-
Roger