Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By hokuspokus on
Hello everyone,
I was hoping I could get some input on a problem. My site was hacked by a comment spammer who was able to turn off my html filtering somehow and started using my site for launching spam attacks. I am trying to get everything cleaned up, but there are still some problems that I don't know how to find or take care of.
The first thing I did was delete the posting that contained the comment feed that the log showed was being used by the spammer's IP address. I re-enabled my html filters (more on that in a sec) and it seemed that access was being blocked.
However:
1. Html filtering seems to be acting a little wonky still. If I create a node with FCKeditor, save it, and then try and edit again, the enable/disable rich text ability goes away and all the text appears as plaintext. This may just be a coincidental bug, but I am including it in case it means something.
More importantly
2. IE and Firefox are saying that pop-ups are being blocked when I load certain pages, specifically all user pages that I know are legit:
http://www.ecoevolution.org/users/bushiwu
So the spammer loaded some code that launches pop-ups from my site. I can't see the pop-ups even if I allow them, (on my mac to be safe) so I don't know anything more about what they contain.
3. Also when going to the bushiwu user page using IE7, the page is split into two sections, one referencing a page that no longer exists on my site, the other; the actual user's profile. I gather that the page not found half is trying to go to the page the spammer hijacked to relaunch/launch an attack, but I don't know where the code is that is causing that to happen.
Does anyone know where I should be looking to clean out all the damage, hacking and pop-up code? The split screen user page seems to be key since it's the only one that does it. And also, how were they able to turn off the filtering in the first place and am I still vulnerable (so I can fix that hole as well)? All my modules are up to date now except Drigg, which doesn't say anything about vulnerability upgrades.
DAGNABBITY! Hard enough to keep this going without some spammer trying to take me out!
Thanks a million
Hokuspokus
Comments
BTW
By the way, My index.php file seems to be clean of malicious code.
Nobody?
::Update::
Installed the Mollum module http://mollom.com/ to help combat future spam and exploits.
No response on my big problem though. Anybody have any ideas on where I should be looking to find the code that is launching pop-ups from my users profile pages? Anybody at all?
Hokus
=-=
compare your files with a backup before the problem provided you have one. I keep backups for 6 months and create them monthly.
check all tpl.php files
check all drupal core files by comparing them to a fresh download of the version of drupal in use.
added code could be anywhere.
also ensure you are using the most secure release of drupal 5.x which happens to be Drupal 5.10 and if your core is out of date, ensure that all your contrib modules are up to date.
Hmm, Thanks
Hmm, Thanks verymisunderstood
The word "anywhere" makes me nervous. Since the problem seems to be emanating from my profile accounts, I started looking there at the templates. My coding skills are poor so I am not entirely sure what I am looking for, but I imagine it should be some sort of function that then has a url attached to it. Is it safe to say that? How are pop-up launched?
Is there a way to Firebug my way to an answer?
Hokus
=-=
not that I am aware of. As I previously stated, comparing the files on your site to a recent download of your theme or core will help show you what may have happened.
switching to a default theme, or at the very least another theme, should tell you if it's in the template or in a core file.
If the problem goes away with a template switch, then you'll want to inspect the template files, if the problem is reproducable in any theme, then the problem is going to be in your core files.
If using an outdated version of core or contrib modules the problem could be in your database.
That was helpful, I switched
That was helpful,
I switched to Garland and I still get the pop-up blocked dialog, so it must be in core or modules somewhere. Would you suggest overwriting my installation with a fresh copy of drupal to eliminate the problem as the next thing to try or would it be wiser just to do all the code examining work possible to find the specific offending module/code?
Hokus
=-=
there are tools like winmerge, compareit that will compare your files with new files and show you any changes that were made to the files. I suggest that route first.
I don't suggest just throwing new files at old files without rhyme or reason.
VeryMisunderstood saved me Hours if not Days
Winmerge seems to be the tool for this job. I went in and compared my site folder with a blank drupal install with fresh copies of all my modules and found a lot of trashed files. I didn't see any specifically malicious code, just seemingly random changing of letters in the middle of code, maybe to deactivate whatever function the code section controlled. I'm surprised my site still worked. Without winmerge, I would have been completely lost and it would have taken FOREVER to find these changes. I was able to find all the differences and change them in less than half an hour using Winmerge.
I'm going to have to step through the changes however, because when I went through and fixed everything at once, the site came up as a whitescreen when I uploaded the converted files. I'll see if I can get it working on my development environment, then move to the live server.
Once again
THANK YOU VeryMisunderstood
Hokuspokus