My hosting company has twice recently claimed there are IRC hacking files in one of my accounts which uses Drupal. Has anyone had this experience or have any idea how they could be uploaded into my account like that? Is there a security hole in Drupal that could cause this?
Rob
My hosting company has twice recently claimed there are IRC hacking files in one of my accounts which uses Drupal. Has anyone had this experience or have any idea how they could be uploaded into my account like that? Is there a security hole in Drupal that could cause this?
It's entirely possible if you're still using a version of Drupal that has the XML-RPC bug (upgrade to 4.6.5, please!) - someone could easily have done it (I've seen the attack numerous times against numerous apps).
The CPanel on my host only offers up to 4.6.3.
Rob
On 12/15/05, Morbus Iff morbus@disobey.com wrote:
My hosting company has twice recently claimed there are IRC hacking files in one of my accounts which uses Drupal. Has anyone had this experience or have any idea how they could be uploaded into my account like that? Is there a security hole in Drupal that could cause this?
It's entirely possible if you're still using a version of Drupal that has the XML-RPC bug (upgrade to 4.6.5, please!) - someone could easily have done it (I've seen the attack numerous times against numerous apps).
-- Morbus Iff ( you are nothing without your robot car, NOTHING! ) Culture: http://www.disobey.com/ and http://www.gamegrene.com/ O'Reilly Author, Weblog, Cook: http://www.oreillynet.com/pub/au/779 icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus -- [ Drupal support list | http://lists.drupal.org/ ]
The CPanel on my host only offers up to 4.6.3.
Is that the version you actually had installed? 4.6.3 was released August 14, 2005 (http://drupal.org/drupal-4.6.3) - if you installed your Drupal site BEFORE that time, then you were not running the latest security fixes, and it may still be possible that you're susceptible to an XML-RPC exploit. For now, a reasonable workaround is to:
* delete the xmlrpc.php file in your Drupal directory.
While this does nothing to prevent the bugs fixed in 4.6.4 and 4.6.5 of Drupal, it will specifically stop any XML-RPC vulnerabilities, at the expense of removing the ability to receive updates for blogging applications (per the blogapi.module).
If you have further concerns or questions regarding the security of your site in regards to Drupal, please contact security@drupal.org - the support list isn't the best place for this.
Hi Rob,
I have personally had experience with this type of attack, as it affected one of my production servers, where they got in from phpBB2. A simple upgrade fixed the problem.
If your hosting company keeps putting the squeeze on you for it, there's nothing you can do except tell them to upgrade their version of drupal, because that's the way they're getting in.
Michael.
--- Rob rob@rwneill.com wrote:
The CPanel on my host only offers up to 4.6.3.
Rob
On 12/15/05, Morbus Iff morbus@disobey.com wrote:
My hosting company has twice recently claimed
there are IRC hacking
files in one of my accounts which uses Drupal.
Has anyone had this
experience or have any idea how they could be
uploaded into my account
like that? Is there a security hole in Drupal
that could cause this?
It's entirely possible if you're still using a
version of Drupal that has
the XML-RPC bug (upgrade to 4.6.5, please!) -
someone could easily have
done it (I've seen the attack numerous times
against numerous apps).
-- Morbus Iff ( you are nothing without your robot
car, NOTHING! )
Culture: http://www.disobey.com/ and
O'Reilly Author, Weblog, Cook:
http://www.oreillynet.com/pub/au/779
icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff
/ jabber.org: morbus
-- [ Drupal support list | http://lists.drupal.org/ ]
--
[ Drupal support list | http://lists.drupal.org/ ]
Send instant messages to your online friends http://au.messenger.yahoo.com
-
Michael Mansour -
Morbus Iff -
Rob