[development] Fully patched site hacked and cloaked

Steve Power steev at initsix.co.uk
Wed Jan 27 16:56:10 UTC 2010


http://la-samhna.de/samhain/  if you have the resources to run it (its
complex)

Or, an afternoons work should have something nice going on if you use
tripwire http://sourceforge.net/projects/tripwire/

Not sure how to do this on a shared host tho.

On Wed, Jan 27, 2010 at 4:41 PM, Steven Jones <
steven.jones at computerminds.co.uk> wrote:

> > Is it a good security tip to monitor the integrity of Drupal sources by
> > using MD5 hashes on the files ?
> > Is there a known/efficient way to achieve this ?
>
> http://drupal.org/project/md5check
>
> But this is a drupal module, and thus pretty useless, because it is
> part of the system that you're looking to stop being modified. Better
> to just hash some files on cron or something if you care to leave your
> drupal installation writeable by the web server.
>
> Regards
> Steven Jones
> ComputerMinds ltd - Perfect Drupal Websites
>
> Phone : 024 7666 7277
> Mobile : 07702 131 576
> Twitter : darthsteven
> http://www.computerminds.co.uk
>
>
>
> 2010/1/27 Nicolas Tostin <nicolast at logis.com.mx>:
> > Is it a good security tip to monitor the integrity of Drupal sources by
> > using MD5 hashes on the files ?
> > Is there a known/efficient way to achieve this ?
> >
> >
> > ----- Original Message -----
> > From: "Laura" <pinglaura at gmail.com>
> > To: <development at drupal.org>
> > Sent: Wednesday, January 27, 2010 9:53 AM
> > Subject: Re: [development] Fully patched site hacked and cloaked
> >
> >
> > On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote:
> >
> >> Were you able to determine the attach vector that was used to be able
> >> to modify bootstrap.inc?
> >
> > I just saw this performed on a D5 site. Bootstrap.inc was indeed altered,
> an
> > additional system.php file was inserted in the modules folder, and the
> > pernicious (drug) website files were inserted into the cgi folder *above*
> > the webroot. The code was sniffing passwords. Several files contained
> > nothing but hashes.
> >
> > I mention this because if we see a pattern across many sites, this entire
> > conversation should move to security reports offline.
> >
> > Laura
> >
> >
>



-- 
-- 
--
Steve Power
Principal Consultant
Mobile: +44 (0) 7747 027 243
Skype: steev_initsix
www.initsix.co.uk :: Initsix Heavy Engineering Limited
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100127/bcd91a8d/attachment.html 


More information about the development mailing list