Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By zoon_unit on
I've got a critical problem! It appears our Russian friends have returned with spam posts, logging in as users and posting comments.
Only this time is different. Somehow they've managed to hack the admin interface. When I login as user #1, I get access denied. So right now I'm frozen out of the website!
I DESPERATELY need some help on this! How can one regain admin access without deleting the entire dataset?
Comments
Addendum
This appears to be a major security breach of Drupal core, since it is now impossible for the admin to login at all.
Site is hosted on Dreamhost, version 4.7.5
Any help would be greatly appreciated!
set password in DB
To set your password, go into your database and run a query like "UPDATE {users} SET pass = MD5('newpassword') WHERE uid = 1;"
Did you (and everyone else with access to the PHP format) have a strong password? At the moment Drupal has no limit on password tries, so one could easily automate an attempt to crack a site.
Also, 4.7.6 has an important security update- you may have been done in by that bug?
---
Work: BioRAFT
Some more info
The "access denied" issue does not seem to be a password hack. Here are some of the traits:
1) I can login successfully once, but as soon as I try to "submit" anything, like delete the spam, ban the user or any other admin function, I get logged out and the "access denied" comes back up. I can log back in successfully an unlimited number of times, but whenever I try to submit an administer function, I'm logged out yet again. Thus, I'm powerless to do anything.
2) I have more than two other users with moderator access. This same "logout" behavior is affecting all of them.
upgrade to 4.7.6
You have a site backup, right?
I'd suggest you backup your DB (again), upgrade the site to 4.7.6 ASAP, and replace all contrib modules files with the latest version too.
Are you on the security mailing list: http://drupal.org/security
---
Work: BioRAFT
Since there is no limit on
Since there is no limit on password tries, maybe the following technique should be implemented:
First 3 attempts, it shows the login box as it does now.
On the 4th attempt (and any attempt after) if also gives a Turing Test to see if the login attempts are from a human or a machine.
--
Scott M. Stolz
http://www.wistex.com/
Sure you are 4.7.5?
Are you reall sure you are running Drupal 4.7.5 and not 4.7.4 or eariler?
This sounds more like http://drupal.org/node/102114 to me than a hack.
Access denied
I recently experienced the Dreamhost php upgrade problem.
My site is Drupal 4.75 on Dreamhost with php 5.1.
I had not logged into admin for a month and when I tried I got the exact behavior described above. Looking around the Dreamhost forums I learned of a recent upgrade to php 5.2 that had been rolled back due to this login problem.
Since I still had the problem, I changed the domain to use php 4 for now on the Dreamhost panel and that worked for me.
That sounds very odd! To
That sounds very odd!
To regain control I'd suggest removing anonymous access to the site (and PHPMyAdmin) at the web server level (having made sure you have a username/password access set of course) - that should at least get them off in real time. I think I'd then copy the database and restore a backup from a week or so ago and see if sanity returns - that will confirm whether they've actually compromised the database or the PHP... ?
....
I will point out that there was a Drupal release of 4.7.6 on Feb 29th that addressed a security issue.
Steps you can do now. Shut down your site. Either have you host shut it down or do so through cPanel/etc. Restore from a recent known good backup. Change your passwords. Upgrade to the latest secure Drupal version.
In the Troubleshooting FAQ is a way to change the password for UID1 through the database directly but I wouldn't worry about that if you can restore from a known good backup. If you can't restore from a backup, then you have to do the database password change and hope you can sanitize your site.
Good luck,
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Final resolution
After much research and wringing of hands I've ferreted out the situation. MANY THANKS to the Drupalers here who sent me in the right direction.
Apparently, the hacking issue and the authentication issues were separate. They just happened simultaneously, taking me down the wrong logic path.
Dreamhost is indeed updating PHP on my server and this triggered the authentication issue. I'll be upgrading my site to 4.7.6 this weekend. (In the meantime, I switched to an earlier version of PHP, however this causes issues with images not showing up??)
Thanks again for the support!
If hacked, please report it in the right place....
I susspected as much since PHP5.2.1 was recently released. However, if you believe you have been hacked in some way please report your findings to security@drupal.org or use the contact tab (top right corner of this site) to report it. We want to know about anything like this.
Thank you, I'll do that in the future
Still trying to learn proper protocol. :-)
Although I wasn't "hacked" in this particular instance, spamming has become a real issue lately. I've been wanting to use the captcha module to try and foil the spambots, but it contains an error that has lingered for a month now. The captcha page tries to validate when entered rather than after a submit, causing an error that tells users they've entered the wrong answer even before they've typed anything.
This has been reported several times, several patches by users have been submitted, then stated as invalid, and so on. So far, there has been no update to fix this error.
The reason I mention this here, is that spam, like security, is becoming a critical issue with most webmasters. It seems that spam resistance should be a critical item to be addressed by the core developers, as well as security.
Spam....
I, like yourself, hate spam. It's the bain of humanity (well, those humans with an email address or interactive website) but please do not confuse spam with security. Security is an entirely different issue.
Webmasters et al are concerned with spam. There are developers who create modules to help avoid spam. Follows those routes if you need but the title of this post, "Drupal sites hacked!" is very provocative and gives a bad impression of the software as a whole.
Your site wasn't "hacked" just used as a promotional aid (spammed) by someone else. Spam != security
Like myself, if you don't want spam, take measures to stop it. But don't blame the software because you as a webmaster choose to allow people to register and post to your site. So long as you do, you'll attract spammers.
fix title?
Can you fix up the title for him? "Druapl sites spammed/can't login"
---
Work: BioRAFT
This is one BIG reason that Drupal.org should allow....
users to edit their own posts.
Since I confused a PHP error with a hack, I know the title is incorrect and provocative, but there's nothing I can do about it.
Why don't we have the right to edit our own posts here? We know the software allows it.
...
Because the permission to edit your own forum posts is Edit Nodes. Edit Nodes permission gives you rights across all content types. There are permissions modules that allow for more flexibility, drupal.org does not use these for a variety of reasons.
I will edit the title.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Thanks
Another item for Drupal 6. :-)
With Dreamhost you have the
With Dreamhost you have the option of compiling your own php or making a copy of their php executable and running it through changes .htaccess.
I used a copy of theirs and .htaccess and my sites have not been affected by the upgrade.