My Drupal 5.x site got hacked...
the intruders were able to alter a blog post which issued the following meta redirect (replaced angle brackets with square brackets)
[meta http-equiv="Refresh"content="0;URL=http://www.rootingforced.org/index"]
the text that normally reads "forums" at the top of the forum page has also been edited.
My logs have been flushed with the exception of the 'recent hits' page. The enteries in question seem to be
05/07/2007 - 4:53pm [meta http-equiv="Refresh"content="0;URL=http://www.rootingforced.org/index"]
node/117
05/07/2007 - 4:53pm Crucial Ballistix Tracer 2GB (2X1GB) PC2-8000 DDR2 Memory - $120
node/117/edit
05/07/2007 - 4:53pm Access denied
/
I've changed the administrator password, but does anyone have an idea what vulnerability I might have fallen subject to?
Comments
Ah ha!
So, I've been watching around for more details on how this might have been accomplished and while I don't understand the full details of the attack, I've gotten as far as figuring out that they used an anonymous FTP login to upload files to my server.
All that said, if your server runs an FTP daemon that allows for anonymous FTP uploads, be very wary of where your FTP upload directory sits.