[development] Fully patched site hacked and cloaked

Tomáš Fülöpp (vacilando.org) tomi at vacilando.org
Wed Jan 27 15:25:13 UTC 2010


Thanks for feedback, esp. to Steve who had some fun excavating the malicious
PHP code layer by layer.

News (and some answers to various points in this thread):

The site got hacked again today, despite all FTP password changes etc.
Because (though that is of course an assumption, but a reasonable one)
bootstrap.inc was read-only the hacker *created *bootstrap.php in the
includes/ folder. Not sure there was a way to use it but still, it got
created.

The logs were flooded with entries like this:
[27-Jan-2010 06:04:13] PHP Warning:  file_get_contents(
http://95.168.177.240/spyder/796f757468666f72756d2e6f7267667266726f75725f776f726b676c6f62616c576f726c64.html)
[<a href='function.file-get-
contents'>function.file-get-contents</a>]: failed to open stream: HTTP
request failed! HTTP/1.1 404 Not Found in
.../web/content/includes/bootstrap.php on line 1

I reloaded Drupal and modules again and blocked that IP range, etc.
No, no real custom modules, just a few views hooks.

So the question remains how did anyone managed to write in Drupal's
directory.
This is a RackspaceCloud/Mosso installation; I've raised the issue with them
-- in case they've got a hole in Apache, but I think that's unlikely.

I always use SSH (Port 22, WinSCP) but I am now investigating the
possibility of some of my clients using insecure FTP, which of course would
be a very likely attack vector.
(It may be a work of a virus but it's hard to say it's Gumblar, as I assume
the PHP code cared for redirect based on referer, so not the iframe
solution.)

Any further ideas are of course appreciated. And those on RackspaceCloud,
check your bootstrap.inc files today.

vacilando / Tomáš




On Wed, Jan 27, 2010 at 15:43, Khalid Baheyeldin <kb at 2bits.com> wrote:

> Yes, but you don't
>
> On Wed, Jan 27, 2010 at 9:35 AM, Nilesh Govindarajan <lists at itech7.com>wrote:
>
>> On 01/27/2010 08:01 PM, Gerhard Killesreiter wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Adam Gregory schrieb:
>>>
>>>> This is more a server security issue rather than a Drupal one. I've seen
>>>> this happen with Drupal, Joomla, Wordpress and custom PHP code. It
>>>> really most likely means that access to the server/host was compromised
>>>> at some point.
>>>>
>>>> There are lost of things that can be done to prevent this like
>>>> chmod/own-ing your file system correctly(As Gerhard touched on). This is
>>>> also a good reason to use SFTP rather then FTP as passwords in SFTP are
>>>> sent encrypted and FTP are not leaving them open to a *man-in-the-middle
>>>> attack.*
>>>>
>>>
>>> People still using FTP in 2010 should be shot on sight.
>>>
>>> Cheers,
>>>        Gerhard
>>>
>>
>> *ahem*
>>
>> Public mirrors do use them ?
>>
>> FTP is good if you can configure it properly. It can be a big bug in the
>> security as happened in this case if not configured properly :)
>>
>
> Yes, but public mirrors do not require passwords. What Gerhard is talking
> about is uploading stuff to your site via an FTP account with a user name
> and password.
> --
> Khalid M. Baheyeldin
> 2bits.com, Inc.
> http://2bits.com
> Drupal optimization, development, customization and consulting.
> Simplicity is prerequisite for reliability. --  Edsger W.Dijkstra
> Simplicity is the ultimate sophistication. --   Leonardo da Vinci
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100127/c33c0881/attachment-0001.html 


More information about the development mailing list