[development] Fully patched site hacked and cloaked
Steven Jones
steven.jones at computerminds.co.uk
Wed Jan 27 16:41:25 UTC 2010
> Is it a good security tip to monitor the integrity of Drupal sources by
> using MD5 hashes on the files ?
> Is there a known/efficient way to achieve this ?
http://drupal.org/project/md5check
But this is a drupal module, and thus pretty useless, because it is
part of the system that you're looking to stop being modified. Better
to just hash some files on cron or something if you care to leave your
drupal installation writeable by the web server.
Regards
Steven Jones
ComputerMinds ltd - Perfect Drupal Websites
Phone : 024 7666 7277
Mobile : 07702 131 576
Twitter : darthsteven
http://www.computerminds.co.uk
2010/1/27 Nicolas Tostin <nicolast at logis.com.mx>:
> Is it a good security tip to monitor the integrity of Drupal sources by
> using MD5 hashes on the files ?
> Is there a known/efficient way to achieve this ?
>
>
> ----- Original Message -----
> From: "Laura" <pinglaura at gmail.com>
> To: <development at drupal.org>
> Sent: Wednesday, January 27, 2010 9:53 AM
> Subject: Re: [development] Fully patched site hacked and cloaked
>
>
> On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote:
>
>> Were you able to determine the attach vector that was used to be able
>> to modify bootstrap.inc?
>
> I just saw this performed on a D5 site. Bootstrap.inc was indeed altered, an
> additional system.php file was inserted in the modules folder, and the
> pernicious (drug) website files were inserted into the cgi folder *above*
> the webroot. The code was sniffing passwords. Several files contained
> nothing but hashes.
>
> I mention this because if we see a pattern across many sites, this entire
> conversation should move to security reports offline.
>
> Laura
>
>
More information about the development
mailing list