Hi,
I have a site, www.redtonemedia.co.uk running 6.27 and all modules up to date. However, yesterday I found it had been compromised - I found thousands of unwanted users and thousands of new nodes. On a closer look, I found that the user settings had been changed to "Visitors can create accounts and no administrator approval is required."
So I took the site offline and removed all of the unwanted content. Then I changed the User settings back to "Only site administrators can create new user accounts." and changed the admin password before putting the site back online.
Unfortunately the site is still compromised, and I have the same situation as yesterday, with thousands of unwanted users and thousands of new nodes and the user settings has again been changed to "Visitors can create accounts and no administrator approval is required."
Clearly I've been hacked somehow. Can anyone shed light on how?
Comments
You want to change your
You want to change your control panel, server, ftp and database passwords. (Changing the database passwords means you will need to edit settings.php). You will also want to change the passwords for any Drupal account with admin access.
.
Might also be and idea to check your logs - within Drupal and on your server/host - to see how someone got in.
Your user registration seems to be protected enough and some of the obvious www.redtonemedia.co.uk/admin/.... links I just tried are fine as well - did not try all of them .....
All the best - very annoying - I know and had to spend some time on this myself some time ago .....
-----------
Good luck .....
... more recent results of trying Drupal just once are -
www.native-power.de
Malls and More
Don't use control panel or
Don't use control panel or ftp - I use the command line on the server and only allow access via ssh.
Anyway, I've changed all the mysql passwords and it seems to have settled down, for now.....
.
What is the setting under how users register?
Do they need admin approval or can they just register freely?
Did you ask for email confirmation before a user is accepted and can go life?
Have a look at spam control in case you need users to be able to register freely.
Well, you will need spam control in any case now that your site has been targeted.
You can also use roles to allow newly registered users not to publish anything freely change the publishing settings so you can check first. When you have trustworthy users allow them to move up a role to publish straight away later.
But as you have already been targeted - start to read up and implement spam control. That will stop mass registration.
Might be best to go for admin approval for new users initially and once you have your spam control and related security worked out you can go change to "open" registration.
I am sure the problem is in your settings. Not in Drupal. I have a number of sites and can see regular attacks resulting in stopping whole countries like Russia, Ukraine, Poland, China, etc. being blocked using IP banning (troll module) etc. on some sites. On other site different strategies are required.
Once you sort the wider issues around security and spamming your site will be fine.
And it would be nice if you could report back with a few links to the modules you will finally have implemented.
-----------
Good luck .....
... more recent results of trying Drupal just once are -
www.native-power.de
Malls and More
no-one's blaming drupal
no-one's blaming drupal tryitonce. I've been running webservers for a long time and stuff happens from time to time.....
.
sure - may be you could let us know, if you find the hole that might have allowed someone in.
Quite annoying those spammers stealing bandwidth and admin time and worrying if hackers with darker intents.
But then those poor buggers might be sad geeks or worse again sweat-shop hackers exploited all the way done the line to back streets in .....
-----------
Good luck .....
... more recent results of trying Drupal just once are -
www.native-power.de
Malls and More
So I've reset the mysql admin
So I've reset the mysql admin passwords and run the excellent security review module, which highlighted a few issues, not least some file permission problems on my server.....
.
thanks - good hint - http://drupal.org/project/security_review
-----------
Good luck .....
... more recent results of trying Drupal just once are -
www.native-power.de
Malls and More
If it's a full compromise
If it's a full compromise (not just making Drupal accounts and content), the first thing the bad guys do is to install a back door to make sure they can get back in after you lock them out. They'll often insert some back door code into your existing PHP.
You may wish to do some integrity checking to make sure nothing's been changed, or even re-install all your modules from scratch to make sure there's no bad code in them. Comparing to known-good backups might help.
--
www.ztwistbooks.com. Math books that are actually fun.