[support] Hacked Drupal Site
Jim Tarvid
tarvid at ls.net
Thu Apr 15 19:06:57 UTC 2010
On Thu, Apr 15, 2010 at 12:58 PM, David <david at hartster.org> wrote:
> (Not sure if there's a better place to ask this)
>
> My Drupal site was hacked recently. index.php was modified at the top
> to include another file which was a static page with a lot of nonsense
> about Cialis but also had a nasty <?php
> eval(gzinflate(base64_decode([string])) ?> at the bottom.
>
> I don't know whether it was a Drupal issue: I was running 6.14 and had
> a couple of modules that were one step behind on upgrading, but
> nothing that seemed too dangerous. All vistiors to my site are
> anonymous and can't upload any files etc.
>
> My site is hosted on Rackspace Cloud Sites and I use SFTP. I'm not
> aware of anything dodgy on my local system (Kaspersky doesn't report
> anything).
>
> I've edited index.php and deleted a few files I have found on the site.
>
> I've changed my FTP password.
>
> Is there anything I can do on a production site to make sure this
> doesn't happen again? Without knowing where the attack came from I'm a
> bit concerned. Would copying index.php to (say) front.php, get
> htaccess to use that as the default page, and create a dummy index.php
> fool an automated attack? Probably not.
>
> Alternatively, does anyone know of a good monitoring service that
> would text me if a page on a site changes, so at least I know
> straightaway if this happens again, rather than it being up over a
> weekend.
> --
> [ Drupal support list | http://lists.drupal.org/ ]
>
So many things to check but first - what hosting environment are you on?
Shared, private virtual, dedicated?
Can you get the output of last | less?
Is your system log full of failed login attempts?
What are the permissions on the "document root" directory?
--
Rev. Jim Tarvid, PCA
Galax, Virginia
http://ls.net
http://drupal.ls.net
http://crossleft.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20100415/30c3aa1f/attachment-0001.html
More information about the support
mailing list