Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By Ralf Saalmueller on
I ran into the 2MB upload problem in drupal 4.6.5 and had a deeper look into the upload dir. And I found a file "cmd2.php" that was strange. I only upload myself, no one else. And I only upload pictures but no code.
Looking into it it was pretty much obvious that I hadn't uploaded that file there because it say's it's an "Defacement Tool". I saw that it can download extensions and will manipulate things. But I thought that it hasn't break into my system ... false FALSE!
I just check with my test-upgrades-first system which isn't online but which also is a backup and it has that file too. Of course, it's a backup. I can track it back until 19. Oct. 2005 where trails get lost by switching to a new server and disks and I dumped old installations.
It came out of the blue that EVERYONE can access that file by simply put the url to /$uploaddir/cmd2.php
I tried it and wow ... it does not only tell those attackers system details but there is a command interpreter too. And a file editor ... overwrite files ...
So check your system for anything that's named cmd2.php or contains "Defacing Tool" as the name of the file doesn't bother as long as it's known.
Hope you miss it!
Ralf
Comments
It sounds as if your old
It sounds as if your old server was hacked a while ago. This is not part of the Drupal download. Also, if you upload dir is 'public' then people can access the files if they know the url. This is normal
-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
I believe..
This is related to the xmlrpc exploits that have already been patched on Drupal. Should be no need for anyone who finds this to worry as long as they are up-to-date on their installs.