By leonglass on
First things first I have not upgraded from 5.10 yet so I am fully aware that this is probably my fault. Having said that I would like to explain what happened as I didn't think it could have happened. Basically my index.php file got edited and a load (100s) of links were added to the end. The result of this thankfully was only that the home page went blank and once I removed the links all returned to normal. Can anyone tell me how this file was edited?
Comments
=-=
5 security & bug fix releases behind you should read the release notes for 5.11 - 5.15, which may provide some clues.
Apache logs would also provide some clues.
Your site should be updated to the lastest release ASAP.
Aside from that, because it was a drupal file that was edited and resaved doesn't necessairly mean that it was drupal that was at fault. Though your install will most certainly be a suspect because it isn't up to date. Things like this can happen when the secuirty on the server isn't up to par as well. Only apache logs will help sort this out.
I'd update my install and see if it happens again, so that when sifting through logs you have a general idea of when it happened.
I am in no doubt that it is
I am in no doubt that it is my own fault for not keeping Drupal up to date and am in no way blaming Drupal for this. I will search the release notes and apache logs to try and find some clues. Thanks
Noli illegitimi carborundum
More questions
You can't assume that by upgrading to the latest Drupal you are safe. The Drupal site itself is only one attack vector. The question you need to answer before you can feel at all safe is, how did they get in? For this you need powerful sysadmin skills and support from your hosting company. Drupal.org isn't the place to get advice on this part because the people here might not have the required sysadmin skills (I know that diagnosing a webserver security breach is beyond my skills). Do you use FTP? Change your password. Are you on shared hosting? Assume that other sites on the server were hacked too (and may have provided the security breach), and assume that the server is compromised at a fundamental level (Google rootkit if you want to know more).
Unfortunately, the only way to really be sure from here is to rebuild from bare iron and improve upon the security measures you had in place. It might be a good reason to move hosting.
- Robert Douglass
-----
my Drupal book | Twitter
PS - all of your data has been compromised
You can take it for granted that if the attacker succeeded in writing to index.php, they had all the tools they need to read the entire contents of your database, including all emails and hashes of passwords. You should instruct all of the users on your site to reset their passwords.
- Robert Douglass
-----
my Drupal book | Twitter
reporting steps
robertDouglass has provided some great advice. See also My site was defaced ("hacked"). Now what? which discusses how to report the problem to the security team if you thought this was a broader issue.
You may also be interested in the Secure Configuration section of the handbook.
--
Growing Venture Solutions | Drupal Dashboard | Learn more about Drupal - buy a Drupal Book
--
Morris Animal Foundation
minimum filesystem permission needed to run drupal
Something people usually forget to do is to give the minimum filesystem permission needed for an application to run, such as drupal. Always when I install a system I take a long time on it testing how everything goes with only read permission on every file or directory. Then I check for problems that was generated by the lack of writing permission and give the permission only where it's really necessary according to the errors the application returned. So the permission I use in drupal for all files and directories except for the files directory is:
files: apache.apache ug+r-wx,o-rwx
directories: apache.apache ug+rx-w,o-rwx
for the files directory is:
files: apache.apache ug+rw-x,o-rwx
directories: apache.apache ug+rwx,o-rwx
that way at least I make things a little more difficult since entering with another user other than apache hackers can't do anything with the files and even if they gain access to the files through apache the only thing "it" can do is read the file and list the directories. And I think giving them a little more work such as changing files/directories permission will make them give up.
to mass change directory permissions do the following from your drupal root please, so you will mess up all your system's permissions:
find . -type d -exec chmod ug+rx-w,o-rwx {} \; //this will change your directories permissions
find . -type f -exec chmod ug+r-wx,o-rwx {} \; //this will change your files permissions
Hope it will help you.
PS: I think that Drupal's installation readme could come with that instruction telling what is the minimum filesystem permission need to run it in the sake of security.
Leandro Scott
Just checked and the write
Just checked and the write permission is on so that is one thing I can definitely do. Thanks.
Noli illegitimi carborundum
Did you discovered what happened?
Did you discover how the hacker got in your server?
Not yet I am still looking
Not yet I am still looking into the logs and getting in touch with my provider for more details. My current suspicion is that a bot combined with write access privileges on the file is the problem. Exactly how access was gained is the info I need but I am on a shared server so I need the provider to look into it aswell.
It appears that nothing was done other than adding the links to the index.php file which is why I suspect a bot of some kind. I have noticed curl and libwww in my browser list and was wondering if they could have been used.
Noli illegitimi carborundum
It is starting to look as
It is starting to look as though ftp access was gained to the server (shared). Not clear yet if my account was used or a general one. Provider is looking into it.
Noli illegitimi carborundum
Did you discover how they
Did you discover how they got in this time?
Thanks for all the replies.
Thanks for all the replies. I am currently investigating what happened and will report back when I find out.
Noli illegitimi carborundum
I've already upgraded to 6.14
I've already upgraded to 6.14 and just got hacked.
=-=
shared hosting?
what contrib modules?
are you sure drupal was the entry?
I suggest you read Secure
I suggest you read
--
Morris Animal Foundation
Subscribing....
Subscribing....