Possible security issue?

mallu - October 7, 2009 - 01:00

Hello,

My Drupal site had been running smoothy for about a month now, till it suddenly went offline sometime yesterday night. After a couple of frantic hours, it was found that the index.php files had some code injected into it which was causing the problem.

The following code was added to the beginning of the file

<?php
 @register_shutdown_function("__sfd1254824286__");function __sfd1254824286__() { global $__sdv1254824286__; if (!empty($__sdv1254824286__)) return; $__sdv1254824286__=1; echo <<<DOC__DOC
<!-- [e8cbc1059b242184a7f710b394b28f09 --><!-- 6824284521 --><div style="overflow:auto; visibility:hidden; height: 1px; "><ul><li><a href="http://rtbi30h3h34h34.cc/1">.</a></li></ul></div><!-- e8cbc1059b242184a7f710b394b28f09] -->
DOC__DOC;
} 
?>

and the following code was added to the bottom

<?php
 error_reporting(0); echo "\n"; @__sfd1254824286__(); 
?>

After removing the code, it was working fine again. I'm not a web developer, so can someone please tell what this code does ? and how could it have possibly got there?

My site is nothing fancy. Still on drupal 6.13 with these modules: acl, admin_menu, captcha, content_access, fckeditor, google_analytics, login_destination, nodewords, recaptcha, webform, backup_migrate, cck, lm_paypal, views.

Any help is much appreciated.

Thanks
SM

» Login or register to post comments

Are you by an chance hosted

duckjerk - October 7, 2009 - 01:49

Are you by an chance hosted at inmotionhosting.com? Because I had that exact same problem. I also know of one other website that had it too.

http://expressionengine.com/forums/viewthread/131183/

Yes. I have 2 websites with

mallu - October 7, 2009 - 01:59

Yes. I have 2 websites with inmotion and both had the same problems. Any ideas how this could have happened?

I just talked to

duckjerk - October 7, 2009 - 02:12

I just talked to Inmotionhosting and they asked that I refer you to them so they can help you.

I submitted a ticket to

mallu - October 7, 2009 - 03:27

I submitted a ticket to inmotion and this was their reply

"Thank you for contacting us about this. How did you install Drupal? Was it a manual install or with Fantastico? I have read many complaints on how Fantastico installs Drupal via the Drupal forums and it does not secure Drupal after the install. If you installed it manually this could be caused from not locking it down after the install or modules that might not be secure that are running on it. Just a few ideas on it."

I did install it through Fantastico. Has anyone ever had any security issues like this one?

Thanks

I did not install through

duckjerk - October 7, 2009 - 16:44

I did not install through Fantastico. They told me it was probably this. http://news.cnet.com/8301-1009_3-10244529-83.html