[development] Fully patched site hacked and cloaked

Wed Jan 27 17:43:16 UTC 2010

I'm hosting a few Drupal 5 & 6 installs on Rackspace Cloud Servers; so
far, no problems, but I'll definitely be on alert now.

Also FTR, I've seen a similar (but not quite identical) sort of attack
on a xcart installation on another host.

Thanks,

Matt

On Wed, Jan 27, 2010 at 8:56 AM, Steve Power <steev at initsix.co.uk> wrote:
> http://la-samhna.de/samhain/  if you have the resources to run it (its
> complex)
>
> Or, an afternoons work should have something nice going on if you use
> tripwire http://sourceforge.net/projects/tripwire/
>
> Not sure how to do this on a shared host tho.
>
> On Wed, Jan 27, 2010 at 4:41 PM, Steven Jones
> <steven.jones at computerminds.co.uk> wrote:
>>
>> > Is it a good security tip to monitor the integrity of Drupal sources by
>> > using MD5 hashes on the files ?
>> > Is there a known/efficient way to achieve this ?
>>
>> http://drupal.org/project/md5check
>>
>> But this is a drupal module, and thus pretty useless, because it is
>> part of the system that you're looking to stop being modified. Better
>> to just hash some files on cron or something if you care to leave your
>> drupal installation writeable by the web server.
>>
>> Regards
>> Steven Jones
>> ComputerMinds ltd - Perfect Drupal Websites
>>
>> Phone : 024 7666 7277
>> Mobile : 07702 131 576
>> Twitter : darthsteven
>> http://www.computerminds.co.uk
>>
>>
>>
>> 2010/1/27 Nicolas Tostin <nicolast at logis.com.mx>:
>> > Is it a good security tip to monitor the integrity of Drupal sources by
>> > using MD5 hashes on the files ?
>> > Is there a known/efficient way to achieve this ?
>> >
>> >
>> > ----- Original Message -----
>> > From: "Laura" <pinglaura at gmail.com>
>> > To: <development at drupal.org>
>> > Sent: Wednesday, January 27, 2010 9:53 AM
>> > Subject: Re: [development] Fully patched site hacked and cloaked
>> >
>> >
>> > On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote:
>> >
>> >> Were you able to determine the attach vector that was used to be able
>> >> to modify bootstrap.inc?
>> >
>> > I just saw this performed on a D5 site. Bootstrap.inc was indeed
>> > altered, an
>> > additional system.php file was inserted in the modules folder, and the
>> > pernicious (drug) website files were inserted into the cgi folder
>> > *above*
>> > the webroot. The code was sniffing passwords. Several files contained
>> > nothing but hashes.
>> >
>> > I mention this because if we see a pattern across many sites, this
>> > entire
>> > conversation should move to security reports offline.
>> >
>> > Laura
>> >
>> >
>
>
>
> --
> --
> --
> Steve Power
> Principal Consultant
> Mobile: +44 (0) 7747 027 243
> Skype: steev_initsix
> www.initsix.co.uk :: Initsix Heavy Engineering Limited
> --
>