Hi there, my Drupal site was hacked - I just wanted to post the details in case this security issue becomes a problem for other users. This morning checking the site, I got syntax error on the index page, so after downloading index.php there is a ton of Cialis & Viagra spam embedded in the file.
Not sure how the site was hacked. It is only averaging 80 unique visitors a day & I've never had any problems like this before on other sites I've built.
Recently an article was submitted to shoutwire.com so I assume the site being exposed on Shoutwire must have something to do with it.
Also, since I have no recent backups, how can I restore the index.php file - is it okay to use the one from the installation package ?
Edited by: VeryMisunderstood; removed code that referenced cialis, viagra & other pharmacuticals.
Comments
chmod u-w index.php
ouch!
I checked the perms on my index.php:
# ls -al index.php
-rw-r--r-- 1 apache apache 872 Feb 4 13:22 index.php
and as you can see the user apache had (past tense) write permissions!
a quick chmod fixed that:
chmod u-w index.php
the following also had write perms:
update.php
xmlrpc.php
install.php
cron.php
robots.txt
all of which are probably a no no.
to view all of the files on your site that have write perms:
find -L . -perm /u=w,g=w,o=w -type f ! -iwholename './files/*' -prune -print0 | xargs -0 echo
this prints out all files (not directories) that have write perms (excluding the files directory)
I believe apache will still need to have write perms for the files in files
to ensure your site is secure, in that no one (but root) can write:
find -L . -perm /u=w,g=w,o=w -type f ! -iwholename './files/*' -prune -print0 | xargs -0 chmod ugo-w
I just ran it on one of my sites and it didn't seem to break anything...?
-al
yes you can use one from a
yes you can use one from a new installation, in future make sure chmod permissions are set to 644 so that the file can't be written to.
What version of Drupal are you running ?
I'd double check my FTP program to insure its update to date, in the case that your FTP program is somehow uploading all files to 777.
I'd also check my apache logs to try and narrow down when this happened.
Why ....
It appears that your webserver was hacked. It's not a Drupal security problem, but rather a poorly configured server.
Why are your Drupal files owned by Apache? They should be owned by your user account, not by the webserver. The only files that should be writeable by the webserver are those in the files directory, which represent user uploads.
which user account?
which user account? By chowning the site to apache:apache, it all just worked. :)
I am not using suexec or cgiwrap, so, I thought, apache is the user? Or is
there some drupal magic goin' on? My site(s), by the way, have not been
hacked, yet...
-al
User permissions
It should - it is a bit like chmodding everything 777 in terms of removing all your security.
No, you only want Apache to be able to read your files. If Apache can write to your files, then anyone with an account on the server can tell Apache to write whatever they want over your files - that includes anyone that 'owns' another site on that server too. Not only are you trusting all the other webmasters to not touch your stuff, you're trusting that they all have completely secure sites too.
Generally your FTP account should be the owner of everything and only that account should have any write permissions - except for directories that the web server needs to write to (eg files).
--
Anton
New to Drupal? | Forum posting tips | Troubleshooting FAQ
--
Anton
ah, yes, but of course...
ah, yes, but of course...
This is how I like to learn, from the mistakes of others...
I am chief cook and bottle washer, sysadmin, webmaster, designer, etc, etc, and the sole
admin, user, etc of my sites... and was getting more than a little sloppy about perms.
Thanks for the "heads up"; my perms are now correct. :)
-al