By mcri on

I'm a relatively new user of Drupal, having just launched my site in the past 3 months. While I've found it relatively easy to create a site, gain Drupal knowledge, and apply it as it grows, I'm not a programmer and would like to arm myself to fully understand how to best protect my site from attack. I know many of you out there have great tips.

Today I realized my site was hacked, as all menu items and URLs were directed to the home page. In addition, when I tried to log in as site administrator, my user/password fields erased out as soon as info was entered. An investigatory equest new password email never arrived....so I dumped my dbase and restored it with a backup, and changed my password. It works now.

Cursory look around my hosted environment - I found a new .htaccess file called .htaccess_addHandlerbak, which I removed. I didn't notice anything in this file...but other than it existing I didn't know where to look exactly for clues.

In log files, recent fishy direct url requests:

http://www.mysite.com/MSOffice/cltreq.asp?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0
http://www.mysite.com/_vti_bin/owssvr.dll?UL=1&ACT=4&BUILD=2614&STRMVER=4&CAPREQ=0
http://www.mysite.com/filter/%22http://mysite.com%22%3Emy%20site%3C/a%3E%3C/code
http://www.mysite.com/blog/xmlprc.php

I had banned the associated IP addresses after the logged event, but before my site stopped working.

Anything else I should be looking for? Or doing? I'm just going on instinct here - as opposed to realworld practice...

I'm running Drupal 5.6, (and followed the recent security directive on register_globals)
Webhost: Hostmonster
PHP 5.2.5
Apache 2.2.6
Any insight would be truly appreciated, and I'm sure will help other non-programmer newbies!

Categories: Drupal 5.x

Comments

HS’s picture

HS commented

I'm seeing the same in my logs.

Message MSOffice/cltreq.asp
Severity warning

Message _vti_bin/owssvr.dll
Severity warning