Home » Getting Started » The Features, Mission, and Principles of the Drupal Project » Drupal Project » Security team

My Site Was Defaced ("hacked"), What Should I do Now?

Basics

Attacks can happen in a variety of ways. Even if the only web application running on your server is Drupal, it's possible that the attacker used a different method of gaining access to your server to deface your site.

Rule out other attack vectors

  • May not be Drupal at all, but FTP, ssh, or other attack vectors
  • Check Apache's logs for suspicious activity. This might indicate a vulnerability in a web application and possibly Drupal.
  • Other applications on the server
  • Other accounts on a shared server
  • Make sure you are not running an out of date Drupal version
  • Check the recent Security Announcements for Drupal and Contributed modules. Would any of them enable the kind of attack that happened to your server?
  • ?

What to report to the Drupal Security Team

  • Drupal version
  • List of contributed modules and their versions
  • Apache/PHP versions
  • Do you maintain your site via FTP? If not, is your site accessible using FTP?
  • Name of your hosting company
  • Permissions on the files in your Drupal directory (e.g. from ls -l in the Drupal installation directory)
  • ?
‹ HOWTO: Report a security issueupContacted by the security team. Now what? ›
» Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.