[development] Fully patched site hacked and cloaked

David Shaver d.a.shaver at dashaver.com
Wed Jan 27 14:39:03 UTC 2010


Sounds to me like Gumblar Virus see this link
http://blog.scansafe.com/journal/2009/11/18/where-to-look-for-gumblar-backdoors.html

David A. Shaver
D. A. Shaver Web Design
Web Page Design for Small Business
www.dashaver.com
PO Box 594 Galesburg,IL 61402-0594
309.343.0027



On Wed, Jan 27, 2010 at 8:22 AM, Ken Rickard <agentrickard at gmail.com> wrote:

> I had something similar happen on WordPress. It was a simple FTP
> (non-secure) password sniffer watching network traffic to the host.
> My site would get hacked within twenty minutes of making a change via
> FTP.
>
> I finally forced the hosting provider to support SFTP for my account.
>
> On Wed, Jan 27, 2010 at 7:14 AM, Adam Gregory <arcaneadam at gmail.com>
> wrote:
> > This is more a server security issue rather than a Drupal one. I've seen
> > this happen with Drupal, Joomla, Wordpress and custom PHP code. It really
> > most likely means that access to the server/host was compromised at some
> > point.
> >
> > There are lost of things that can be done to prevent this like
> chmod/own-ing
> > your file system correctly(As Gerhard touched on). This is also a good
> > reason to use SFTP rather then FTP as passwords in SFTP are sent
> encrypted
> > and FTP are not leaving them open to a man-in-the-middle attack.
> >
> > Ultimately though it's a good example of how Drupal can only go so far in
> > keeping itself secure but there are still plenty of other ways out side
> > Drupals area of responsibility that your site can be compromised.
> > -----
> > Adam A. Gregory
> > Drupal Developer & Consultant
> > Web: AdamAGregory.com
> > Twitter: twitter.com/adamgregory
> > Phone: 910.808.1717
> > Cell: 706.761.7375
> >
> >
> > On Wed, Jan 27, 2010 at 6:53 AM, Fred Jones <fredthejonester at gmail.com>
> > wrote:
> >>
> >> > I also wonder whether Drupal could be adjusted so as to automatically
> >> > set
> >> > file bootstrap.inc, and perhaps other critical ones, as read-only. So
> >> > far it
> >> > is done only with settings.php file.
> >>
> >> Well if they did it via FTP, that wouldn't help...
> >>
> >> F
> >
> >
>
>
>
> --
> Ken Rickard
> agentrickard at gmail.com
> http://ken.therickards.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100127/e4c1e631/attachment-0001.html 


More information about the development mailing list