I got a phone call from my Mom yesterday saying that when she visits my D5 site http://www.kittycam.net she got the following:
Reported Attack Site!
This web site at www.kittycam.net has been reported as an attack site and has been blocked based on your security preferences.
Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.
Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.
After viewing the source code of my page, I discovered a bunch of hidden viagara type spam being hosted by firstlightmovies.com. It didn't show up on my site, but I had been flagged by Google that my site might hurt your computer.
I investigated and found a sessions.php file in my Drupal includes folder. I pulled it off my server right away and upgraded right away to Drupal 5.12 (I think I was running 5.9 at the time). It appears I can't attach file to forum posts and I'm reluctant to just paste it in here as it's 423 lines long. Please advise if this is worthy of sharing.
However, that still did not fix my site. I scanned for any files with a recently updated date and found nothing. I switched to the Garland theme and the site was fine so I knew it was theme related although all my theme files had old dates from about the time I created the theme.
Then this morning I noticed my page.tpl.php file was over 50kB in size which I knew was wrong. I checked that out and all the spam was in that tile. I uploaded a fresh version of it and the spam went away.
I am using an old version of the Zen them (my theme is a sub-theme) and I realize I should update that. I believe I'm on Zen 5.1.1.
Anyone else hear of this happening?
Comments
Unfortunately i cannot help
Unfortunately i cannot help you but i feel your pain and im sorry that BS has happened.
The exact same thing happened to me on a custom script (non-drupal) with those bastards using divs placed on the page @ off screen positions.
didnt notice it until probably a month after they had added it.
good luck, hopefully someone here can help you plug the hole that opened this up.
Thanks
Thanks for your reply. I think my site is good for now, but I'll have to continue to watch it if it's a target. Good to get this documented and I'll be interested to learn if similar things have happened to others.
I did get a message from Google in my webmaster tools inbox dated yesterday, Friday, April 3. However, as far as I can tell, I can't get those message delivered to an e-mail address. If I'm wrong, I'd like to know.
=-=
If you replaced all core files when you updated then I don't believe the issue to be a core file at this point.
you should change ALL passwords if the settings.php file was exposed during this process then whoever is hacking your site has that information. Manually change your DB user password and then manually change it in your settings.php file.
In your drupal.org profile is a newsletters tab. Subscribe to the security newsletter and update your site once a publicly known exploit has been patched.
These types of things are common when a site isn't upgraded/updated in a timely fashion. Because your core was out of date. I think it will be hard to pinpoint exactly what is going on. If it continues to happen on D 5.12 than you should contact the security team. Posting hacking trouble publicly isn't a good idea.
Thanks again
Passwords changed and much more secure.
=-=
Double checking you should be updated to Drupal 5.16 not Drupal 5.12 , 5.16 is the latest most secure and bug fixed release.
Yes
Thanks for asking, I did check and I'm on version 5.16.
I see excatly the same on my site with D6.10
Very scary.
How the hell do these guys get into our stuff.
I have high security passwords and that hasn't helped much.
I don't know what to do. How do I fix this?
My report from Google's webmaster tools indicate the following:
# Sample pages that may be distributing malware: http://smsk-rc.dk/
# http://www.smsk-rc.dk/
# http://www.smsk-rc.dk/index.php?module=comments&CM_op=replyToComment&CM_...
# http://www.smsk-rc.dk/index.php?module=fatcat&fatcat%5Buser%5D=viewCateg...
Which modules are using these URLs. So I will start getting rid of them.
Anyone - HEEEEEELP
=-=
nvestigate your index.php file for lines that do not belong or compare it with a new download.
Keep in mind that problems of this nature aren't always the falult of the script that are having files altered. The security issue could be on the end of the host somewhere. A full report to the security team in situations like this is far better than posting your issue publicly.
Working on this now - will
Working on this now - will post more as I discover
status: being blocked by Google for a script I can't seem to find yet
Found had been attacked: both starting with a if(!function_exists
settings.php
index.php