[support] Hacked Drupal Site

[dd at sucuri.net]

Hi David,

You asked for a monitoring solution that will alert you if your site
is modified or gets hacked/with malware.

You could try http://sucuri.net. That's exactly what it does :)

As far as your malware problem, we are seeing a large number of
desktop virus stealing FTP/SFTP credentials stored
on FTP/SFTP clients.  Have you changed your password? Are you running
a good AV as well?

Thanks,

>(Not sure if there's a better place to ask this)
>
>My Drupal site was hacked recently. index.php was modified at the top
>to include another file which was a static page with a lot of nonsense
>about Cialis but also had a nasty <?php
>eval(gzinflate(base64_decode([string])) ?> at the bottom.
>
>I don't know whether it was a Drupal issue: I was running 6.14 and had
>a couple of modules that were one step behind on upgrading, but
>nothing that seemed too dangerous. All vistiors to my site are
>anonymous and can't upload any files etc.
>
>My site is hosted on Rackspace Cloud Sites and I use SFTP. I'm not
>aware of anything dodgy on my local system (Kaspersky doesn't report
>anything).
>
>I've edited index.php and deleted a few files I have found on the site.
>
>I've changed my FTP password.
>
>Is there anything I can do on a production site to make sure this
>doesn't happen again? Without knowing where the attack came from I'm a
>bit concerned. Would copying index.php to (say) front.php, get
>htaccess to use that as the default page, and create a dummy index.php
>fool an automated attack? Probably not.
>
>Alternatively, does anyone know of a good monitoring service that
>would text me if a page on a site changes, so at least I know
>straightaway if this happens again, rather than it being up over a
>weekend.