[development] Fully patched site hacked and cloaked
gerhard at killesreiter.de
Wed Jan 27 11:45:33 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Tomáš Fülöpp (vacilando.org) schrieb:
> This is to share an (unpleasant) experience I had yesterday on a hacked
> site of a client (hacked despite fully patched modules and D6.15).
> It was apparent hackers used a cloaking method, i.e. the site appeared
> just fine to users but search engines saw a page full of drug
> I found no trace of changes via user activity (revisions, user last
> access, etc.) and there was nothing suspicious in the source code of the
> cloaked pages.
> Eventually I found that the file bootstrap.inc had been altered (without
> changing the time stamp!) -- a whole chunk of obfuscated PHP code was
> added at the top of the usual Drupal code.
I've seen a similar method used in a hacked Joomla install.
> I responded by reloading Drupal and locking up the site even more than
> up to now.
Were you able to determine the attach vector that was used to be able
to modify bootstrap.inc? Was it Drupal related? Do you run any custom
> This is to warn others about this hacking method, which may not be
> immediately apparent to webmasters.
> If anybody is interested in studying the obfuscated PHP code I found
> there, please contact me off the list.
> I also wonder whether Drupal could be adjusted so as to automatically
> set file bootstrap.inc, and perhaps other critical ones, as read-only.
> So far it is done only with settings.php file.
If the Apache-User can do that, it can also be used to change this
property again, so it makes little sense to do that from within
Drupal. When deploying code I usually consider it mandatory that the
webuser does not have this permission, ie the files belong to a
different user. Unfortunately most/all fcgi setups have one user for
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the development