My Drupal 5.8 site has been hacked
Thomasr976 - July 16, 2008 - 04:09
I updated to Drupal 5.8 two days ago but my site got hacked. this is what I found when I typed in my url:
haCked By r00t-x...GOt RooT..contact me:- r00tx0@gmail.com
I contacted my web host. What else should I be doing?
i am too. I can not go to
i am too.
I can not go to cpanel, and when i go to phpmyAdmin http://www.mysiet.ru:2082/3rdparty/phpMyAdmin/ this note haCked By r00t-x...GOt RooT..contact me:- r00tx0@gmail.com
i am not updated to 5.8, my Drupal 5.7 on Drupal Value Hosting.
Please send a list of the
Please send a list of the core and contrib modules that you have installed/enabled to the Drupal security team so they can look into it: http://drupal.org/contact
Also, I'd advise you to check with your host to see if this was a server wide problem or just limited to your own account (e.g. the server itself could have been compromised, not just Drupal... it's feasible that this hack is related to an unpatched version of mysql, php, etc).... you should inform your host in any case if you haven't yet, since they may want to do some security checks to ensure the hack hasn't compromised the server.
-- David
absolutecross.com
i am to :(
i am updated to 5.8 on Drupal Value Hosting
Two on the same host at the same time
Two on the same host at the same time (and I'm assuming Drupal Value Hosting is a smaller volume specialized host)... sounds feasible that it may be Drupal Value Hosting's server, not Drupal itself - though of course just a guess (something similar happened on one of my servers once - someone was running an outdated version of Joomla, and through that the hacker was able to run code that damaged all the other sites on the server, including static HTML sites). On the other hand, the multiple hacked sites from the same hosting service could just be due to the IP addresses being similar, thus caught in the same scan by the hacker looking for Drupal. Please contact your host and let us know what they say. If they are positive that it was not the server that was hacked, then I'd go ahead and send your list of installed modules to the Drupal security team. In either case your host will want to identify the hacker's IP if possible in their logs and ban him from damaging further sites on their servers.
-- David
absolutecross.com
It's got me as well, and I'm
It's got me as well, and I'm with drupalvaluehosting. I'm running 6.3 and 5.8 installations. Other than our host resetting things I can't see what more we can do.
Thank god, I backed up last night, everything.
___________________________
Steven Taylor
http://prime357.org
I contacted the drupal secuity team
As you suggested i have contacted my host and have provided the drupal secuity team with a list of modules used and my site parameters. Hopefully Drupal Value Hosting and the Drupal Security Team can work together to identify the hackers IP address and take steps to prevent future damage.
I`m too! Similar problem
I`m too!
Similar problem
Okay, these files were
Okay, these files were modified
misc/maintenance.css
themes/engines/phptemplate/default.tpl.php
also a file was added to sites/all/default
I am also on
I am also on drupalvaluehosting and have been hacked. I replaced the 2 files above, deleted the added x.html file and still no change on my site...
Anyone have any suggestions?
Also, I dont have access to cpanel so I cant change my pwds
Want better gas mileage - Join the community - aquauto.com
ок
ок
This script replaces all files containing words "default", "index", "main" and creates files in size in 92 bytes. Also creates a file x.html in a folder profiles/default (like)
Same problem on drupal value hosting
I also have a 5.7 version hacked on drupal value hosting. After all this trouble in the past weeks with DVH this really is it. Cannot access cpanel either but in my case they at least removed the index.php, so I can access my website again. But it really looks like that this is DVH problem and I am not at all surprised when you look at their forums and see what happened the past weeks. Thanks for more information. I also had the hacking line in more pages.
In my case there was also a x.html file in sites/default with the hacking line. I still have on the member profile. I guess it also pages with panels.
I dont understand how DVH
I dont understand how DVH can go from being so awesome, to sucking so bad in just a couple months time.
Want better gas mileage - no joke - Join the community - aquauto.com
My sites on drupalvaluehosting.com hacked too :((
My sites on drupalvaluehosting.com hacked too :(( server ip — 67.228.128.242.
My sites on drupalvaluehosting.com hacked too :(( server ip — 67
Me too, all subdoamins on the same site,
My sites on drupalvaluehosting.com hacked too :(( server ip — 67.228.128.242.
It was Drupal Value Hosting's Super Monster server
Last night the Super Monster server was down at the same time. So far, no response from DVH. When I tried to get into my cpanel their server was not responding. Last night when I did this all I got was the hacker's message.
Am prepared to send list to mods to security team since I backed up on July 13th and had upgraded to version 5.8. Let me know.
My site is back, but
The images in the teaser all have a border around them. No idea how that happened. Suspect something messed with the field image. Any suggestion appreciated
DVH sent email and asked me to do the following:
In case you notice that your hosting account security has been compromised. Perform the following two steps:
1. Change your hosting account password
2. Log into your FTP and inside "/public_html/" folder, look for files starting with "index" in their names e.g. index.php, index.html and replace them with the default/original drupal file (any drupal version will do, since the index.php remains the same)
I can't access Cpanel to do that
I'm in the same boat. If
I'm in the same boat. If you use SSH you can change your password, as I did, but I'm still locked out of cpanel. My sites back up but in the interim I'm using another theme, seems like whatever happened, it's messed with my preferred theme, Tapestry, formatting is all out the window.
___________________________
Steven Taylor
http://prime357.org
Good to know that whatever hit us affected the theme only....
Anyway at least I pray that is the only problem. You can see what my site looks like. it varies by browser with IE6 placing a very ugly border around images in the teaser of my articles.
I don't use SSH. Did you replace the index files as DVH suggested? Since I backed up on sunday and had a drupal 5.8 installation, I'm tempted to just send DVH the backup and ask them to reinstall it. What do you think?
Short of the above, I was thinking of reinstalling the theme.
Tom
I removed all those files
I removed all those files and replaced them with the standard ones as suggested by dvh. Fortunately, I've got a backup of the entire public_html directory and associated MySql sql dumps as of yesterday. As soon as cpanel is back I'll be restoring the backups, it's just too confusing to know which files were infected. One of my image folders went missing in the process, god knows what else might not be there.
I wish dvh would throw out another email advising us that it will be x hours before back to normal.
___________________________
Steven Taylor
http://prime357.org
How do you change your
How do you change your password with ssh?
Want better gas mileage - no joke - Join the community - aquauto.com
Changing password
Yes what is the passwd syntax?
AND.. I may be wrong but if r00t-x do as a matter of fact have root... what good will changing individual passwords be?
I did not have a minute to upgrade too 5.8 yet... So that sucks for me!
If I were you guys, I would
If I were you guys, I would really recommend that you do a full reinstall of all Drupal's files. It is difficult to know whether the hacker has installed additional "backdoors" elsewhere in the midst of your files that can be used later to regain access or abuse your hosting account. This happened with the server I mentioned earlier (where an old Joomla site allowed all sites on the server to get defaced due to an insecure version of PHP)... initially I just restored the defaced index files. However a month or so later the hosting account was suspended without my knowledge - I had to contact the host, and found out that there was a directory hidden deep in my files that was hosting a scammer/phishing page, which the hacker had installed into place without my knowledge.
After you find out if the host itself has been compromised or not... unless you have a current/recent backup of your site that you could restore, I would highly recommend you backup, remove Drupal's core files and your modules, and restore them from a fresh copy of both Drupal core and your contrib modules (of course don't delete your own "files" and "sites" directories... treat it just as you would a regular version upgrade to Drupal). Look through every one of the remaining personal directories to make sure there is nothing there that shouldn't be. If you need guidance on restoring Drupal, my tips here should help.
Changing passwords in SSH is done with: passwd account_name (you'll then be prompted for the new password and confirmation). The hacker may not "actually" have full root on the server, despite his message.
-- David
absolutecross.com
I was thinking the same thing.......
I've never used SSH but your instructions are very good and besides I am not sure when that CPanel will be restored. Many thanks.
Still finding those hacker files
David
Just went through my files and sites folders looking for those 92 kb files left by that hacker. When I searched using cpanel they did not show up. Yet I found a whole bunch of them and deleted them.
I really thought that the backup provided the day before would be clean but it's not.
I understand the need to do a complete drupal install-- in fact I an going upgrade from 5.8 to 5.9 soon. If I am reading this well, I should also delete all my contributed modules and reinstall them as well, right?
Also is there a standard tool that I could use to find those 92 kb files based on their size that may be in my files folder?
Any advice will be deeply appreciated.
Writing from my iphone so
Writing from my iphone so will add more later. Yes I would recommend reinstalling your modules as well. Ideally use the same versions you already have installed (old releases should still be available on the project pages). You can upgrade to new versions after everything is safely back to normal. Offhand I don't know any automated way to find the hacker's files.
-- David
absolutecross.com
Check the comments in this
Check the comments in this post:
http://www.drupalvaluehosting.info/content/my-sites-hacked
Someone posted a way to identify the files by running a cron job.
Yeah I was going to mention
Yeah I was going to mention using grep/find via command line may be the way (I'm lousy with those particular commands though haha - glad someone posted them). I'm sure it would find the patterns you tell it to... though honestly for me, it would still be insufficient for me. I would never feel certain until I manually viewed the contents of every single folder on my account. You can only search for the things you know about. The things with different names that might have been slipped into place by a hacker... search won't help. If it were a VPN or dedicated I'd suggest chkrootkit or other tools to scan for malicious files.
-- David
absolutecross.com
Looks like a filesystem only hack to me, at this point
Ok so I am on DVH and I got hacked too. I am locked out of my cpanel, but I can still get into my client login from the DVH home page http://drupalvaluehosting.com where I submitted a support ticket. There is also a DVH forum available from http://www.drupalvaluehosting.info/forum/dvh-support where you can see that many users are affected. So far the DVH response has been very muted.
I do still have SSH access and many directories contain hacked files. The directories include both web accessible and non web accessible directories. I grep'd through recursively with the string 'haCked' to find them (grep haCked -d recurse *). I was also able to dump my mysql databases using mysqldump and when I grep'd though the sql output file haCked was not found. I hope that means my DB is untouched.
The file index.php was one of the hacked files and once I replaced that with a clean drupal distro version then my site started to work and my content in the database appears to be OK. There are still other files within my sites that are hacked and I'm working through the list to eliminate them. I would recommend once you gain control of your sites then you take them off-line until the haCked corruptions are eliminated.
I would speculate that somebody was able to replace files on the file system. They likely have not compromised any account passwords and likely not any database content.
Anyway this is clearly a drupalvaluehosting.com hack and likely not a drupal security flaw at all unless it turns out that's how the hacker gained access to the filesystem.
FWIW, anyone who got ANY
FWIW, anyone who got ANY behind-the-scenes access at all to your host does have direct access to your database password. And thus to your entire database. And thus potentially to all your user logons, including admin #1.
So, annoying as it may be, you are best to be using 3 different passwords for your account/cpanel/ssh/ftp and your database and your Drupal admin user.
I have to do that on any shared hosts, although I'm a bit less strict on dev sites.
Without giving anyone ideas, it's also pretty simple to hide a backdoor in the database where it would be hard to spot, even after a full file-wipe. :-(
I've done something similar (for Goodtm) to bootstrap a full version upgrade on a 'firewalled' remote system where there was no login or upload available.
.dan.
How to troubleshoot Drupal | http://www.coders.co.nz/
Maybe Content Templates were affected by hacker
I'm not sure that this is relevant, but thought I would bring it to this threads attention.
I have two content templates called "Articles" and "Rate and Review." When I edited them this morning there were two messages
For Article Template - "While traversing node variables your recursion limit of 10 was hit 12 times"
For Rate and Review- "While traversing node variables your recursion limit of 10 was hit 32 times"
Can anyone tell me what this means?
me too
Just adding my voice to the chorus.
A site on DVH World's greatest hosting package, went down with the sames errors.
Best part was I got an error when I changed my message and I'm locked out of ftp, etc...
It seems it is a whole in cpanel and not in drupal
This is what DVH announced lately:
1. About 20 hours back the servers got hit by the hacking attack. Nature of attack: all files which had "index", "main", "default" strings in their filenames were replaced by the hack message.
2. Upon our investigation, we saw corruption in the cpanel application, (probably hackers exploited a flaw in there). We immediately disabled WHM/Cpanel serverwide within an hour of the initial incident
They have restored the CPanel......
So one can go in and change the password and make it very strong. I picked through the DVH forums which tell you where to find the obvious files hacked and have backed up my data base and drupal install.
Still think it is wise to do what Keyz suggested earlier and replace the drupal core files with brand new drupal 5.8 install. Also look over Files and Sites folder.
Curious about what the Drupal security team thinks since I did report this and the thread to them. Wish they could provide some perspective.
your server got hacked.
your server got hacked. thats means that all your files and al your data are potentially compromised. you can't completely trust any of it ... there is nothing drupal specific about this problem. the drupal security team doesn't have much to add. nevertheless, this is an FAQ in the security docs. see http://drupal.org/node/213320
What to after our web server has been hacked?
I know and it's keeping me awake at night. As someone with a great deal of experience with Drupal and these matters, could you outline some steps that we should take with our existing drupal files and data. I and other will be deeply indebted.
Services are being restored
Some minor good news: I see the cPanel at DVH is working again.
I am also on Drupal Value Hosting (drupalvaluehosting.com) but my site was not hacked. I, like everyone else, was affected by the inability to access cPanel while DVH tried to sort things out.
To find compromised files, see the second reply here:
http://www.drupalvaluehosting.info/content/my-sites-hacked
As noted elsewhere in this discussion, keep an eye out for files left for later back-door access. Simply replacing/overwriting with fresh Drupal files will not remove any extra back-door files.
And of course, refresh all your passwords on a regular basis, regardless of this particular attack.
I was privileged to be hacked several years ago on a shared host and left with the hacker's back door tool. I now use it to test every server I use.
UPDATE
Saying 'services are being restored' is not an endorsement of DVH. 'Are being restored' does not mean 'are restored yet'. I'm getting #500 errors and slow site loading today. I did not want to appear as a fan of DVH right now.
Wow over a week? And they're
Wow over a week? And they're still not back as if it never happened? Sorry but I would drop them in a heartbeat. There's no excuse. To be honest, since they caused you all this trouble and it wasn't "your" site that caused the server to be hacked, I would say they owe every affected customer at the very least 1-2 months of free service over this as an apology. I'd love to be able to support them since they support Drupal, however there's no excuse for incompetence in hosting - there's just way too much competition to easily lose customers too, and proper backups and having skilled admins on staff would have got this taken care of in a day or less, and clearly in this case - their bad server setup or lack up prompt patching (not sure what) caused many customers to lose data and have significant downtime/loss of service. I have my own server at this point so it doesn't apply to me anymore, but now as something of a "host" myself to a few clients, if my server were hacked it would be a major priority for me to fix it immediately, and I would waive those client's fees for the month (or more if I couldn't return service to normal in a timely manner). Anyhow, just my opinion... good luck with them, or with a new host if you decide to change :)
-- David
absolutecross.com
I'm on DVH as well. Wasn't
I'm on DVH as well. Wasn't hacked but I've been getting "Unable to connect to database server" messages when trying to access my website today. I ran across the thread seeing if anyone had similar problems. I assume the issue is related.
I haven't been happy with DVH for a while now. Does anyone know if a refunds are possible? (I bought service for a year.) Might even be worth just cutting my losses.
The service agreement is still accessible on DVH for review
I believe it was a 'no refund' policy but you might seek resolution with PayPal.
I got the cheapest package so I was not too concerned if it fell apart. I put a basic site there for a few months to test. Once it seemed okay, I started moving over some other domains. Then this nonsense started.
I assumed most everyone realized that DVH was run by only one person. This is how the pricing was so cheap. ...and why it is such a mess for only one person to attempt to restore services after an attack.
What do you guys think?
Yeah, I'm kind of new to all this; DVH is the 1st host I've ever had. They (rather, he) just sent me this email. Would you all put any weight in it? I'm curious as to what others are doing; sticking around or parting ways?