Website hacked via Index2.php exploit
I was informed by 1and1.com that my site (http://www.eXtremePPC.com) was hacked. As a result, the site was locked preventing me from taking any corrective action for several days. However, I accessed the site after it was unlocked and everything seems to work normally. In fact, there is no obvious sign that the site was hacked. I inquired with 1and1 for an explanation and they mentioned that the site was compromised via the Index2.php file. Upon inspection, the file contents do appear suspicious; however, I don't know enough to tell the nature of the hack or the appropriate steps to prevent it in the future. I tried several times to include the contents with this post, but all attempts we're blocked due appearance of "suspicious content." Interesting indicators in the file include a link to a Brazilian dating site, a URL that resolves to an EXE file and the following title from the embedded HTML:
<titl e>[ Spammer West Priv8 ] by WestRock</titl e>
Is this a known issue? Is it addressed by the 4.5.7 or 4.6.5 Drupal updates? Thanks,
Donovan.
Just noticed scriptnovo.php file in site root directory
I Just noticed scriptnovo.php file in the site's root directory. Boy, someone is sure having their way with my site. The file contains HTML that resembles the spam we all receive from eBay Phishers trolling for ebay account, username and password information. I do hope my site has not been used as a launch pad for this crap. How could this have gotten into my root directory? I am about to upgrade to 4.6.5 so I hope the exploit has been resolved in the upgrade.
There is no index2.php file
There is no index2.php file in the Drupal download so there are no known security problems related to it from a Drupal perspective.
-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
Ask them for the relevant
Ask them for the relevant logs, or check your Drupal access logs. It's unlikely you were targeted deliberately, and they probably got in by probing random IP addresses for vulnerable scripts. Are you running anything else (like phpBB) on the site?
demolicious | leafish
Why phpBB?
Wouldn't it be more accurate to ask for _anything_ installed on the server that is not up to date? ;-)
For instance, there was another nice vuln related to XMLRPC, etc.
I would (prior to making backups of everything) remove all files and then re-install all applications using latest versions. There might be backdoors in unexpected places, so you could be hacked again even you think you're up to date now.
in 4.6.3 the standard
in 4.6.3 the standard xml-rpc library in use by a variety of projects was removed from Drupal and a different library used.
-sp
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
I mentioned phpBB as an
I mentioned phpBB as an example. It's common, and it has security issues. I see hits in our snort logs every day that look like attempts to break into older versions of phpBB, *nuke, and other random scripts.
If the original poster wasn't running the latest version of 4.5, then Drupal itself may have been the point of entry. Without logs or version info on all the public scripts, I doubt we'll ever know what happened here.
Another thing to consider is your host. I assume it's a shared hosting environment? File permissions and ownership could be set "wrong", which can allow other users on the server to read and write files to /home/foo/public_html/
demolicious | leafish
I have an inquiry into 1and1 for logs and other info
Thanks all. I have an inquiry into 1and1 for logs and other info to shed light on how the site was compromised. At this stage, I'm unsure if the hacker got into my site root via xml-rpc, ftp or other mechanism. I will be installing the latest Drupal version, plus the Bad Behavior module shortly. However, I want to take every recommended precaution. Is there a place where I can find security recommendations? At a minumum, is there a post/page where I can find file permissions for Drupal directories and key files? I checked the Drupal.org/Security page and there is nothing of the sorts there. I also tried searching, but again found nothing.