I read a thread at http://www.digitaldrake.com/wordpress-site-hacked/ and indeed found evidence of an attack called xccgtswgokoe on our live site. Many .htaccess files have been injected into our server that shouldn't be there. They are redirecting our traffic.
I manually renamed the .htaccess files yesterday, but they got injected again today. So, our server is compromised. GoDaddy says we need to take care of it ourselves. I'm guessing we need to change passwords, but I want to make sure that's done correctly for everything that's dependent on those passwords.
And I'm not sure how to do that. I'm guessing we also need to review our logs to figure out how this is happening and to prevent it from happening. Can anyone advise us on how we can correctly change our passwords and prevent this from happening?
Comments
What I would do
Hi,
without further information I would suggest the following (it's what I would do):
DISCLAIMER: I wrote this down from the top of my head. Proceed at your own risk and make sure you know what you are doing.
1 backup your site and mysql db before you proceed.
2 change the passwords for ALL ftp-users (because ftp seems to be the most likely attack vector for what you are describing)
3 rename the offending .htaccess files (remember to delete them after you are done with the rest of this stuff)
4 then put your drupal site in maintenance mode, change the admins' passwords (of all admins) and make sure that your drupal installation and all modules are up-to-date (because this could also be an attack vector)
5 if any module is not up-to-date, do an update.
6 bring your site back online and check if everything works as expected
7 delete the formerly renamed .htaccess-files
If the attack was solely based on ftp-access then you could get away with steps 1, 2, 3 and 7. If it was based on an insecure drupal installation, you need to do all of the above.
You might want to read up on securing files in the security guide here: http://drupal.org/node/244924 and drupal security in general overhere: http://drupal.org/security/secure-configuration
Good luck and let us know how you fixed it!
Best regards,
Stefan
One more thought
Just to clear up any misunderstanding: the stuff I suggested in my earlier post is what you should do as an immediate fix to make sure that you stop any attacker from doing further damage to your installation. It is not a long term solution and quite possibly not enough. Your site was probably compromised in such a way that you cannot be sure that your drupal scripts are in tact. It is quite possibly that your drupal installation is serving malicious stuff to your users or doing other things. So, after securing your site again, you really should re-install drupal (or revert to a clean backup), making sure that no malicious scripts are on your server. (Not sure if this also applies to the DB content. Maybe someone else can suggest something here.)
Best regards,
Stefan