It looks like someone uploaded an exploit script to my website using the attachment module. The lack of renaming .php to .txt files the let them upload a bunch of spam sites to suck up google juice. At least they didn't delete everything.

I've disabled both filemanager and attachment from my sites.

Comments

ccourtne’s picture

ccourtne commented

Hmm... the attachment module does have code to rename php files automatically to txt. Where you running an old version? I'm not sure when this got added I'll double check.

drewish’s picture

drewish commented

it might have been older. i was doing the whole update the site and moduels to cvs. i noticed that my theme had been changed to add a bunch of links to files in the working directory. then i came across the php shell that they'd used to upload/edit my site.

ccourtne’s picture

ccourtne commented

Code that renames *.php to *.php.txt has been in place since the 4.6 release. Current head allows you to configure the extensions as well. I just verified locally that the current version of head out of the box will rename *.php to *.php.txt. If I get time tonight I'll try a stock 4.6 and see if the newest version of 4.6 module has a bug.

drewish’s picture

drewish commented
Status: Active » Closed (fixed)