Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By alliax on
Hi, I've been victim of hacker attacks which deleted my tables, I don't know how.
First on wenesday 16th august he dropped my node_revisions table, loosing all my content (5 months work)
for which I had no backup. drupal 4.7.2
1and1.com couldn't help in this matter so yesterday I decided to start again and upgraded to 4.7.3
tonight several other tables disappeared, node and cache, and then others.
I can't see in apache log how he's doing it and don't have access to mysql log.
I can post the list of modules I'm using if anyone is interested in trying to help me, but I don't think I can compete with this hacker so I'll have to give up, my site is http://www.senserely.com
the only people I can think of would be competitors of my site or banned member.
Cheers,
James
Comments
Try to contact your host to
Try to contact your host to get acces to those logs.
If you know around when the hackings occured, then looking at the logs will tell you how he did.
If it was a drupal hole, then look at the "access" apache log, that log store all the url accessed by people, so looking around the time of the hack, you may be able to see how he gained access.
If you see no evidence there, maybe he loged directly into your dbb through phpmyadmin.
Oh, just in case, did you change your database user/password ? If you have weak user and password, then he could have guessed them.
Try also changing you actual drupal admin username and password, and why not changin also your drupal database name (if you can).
Finally, make sure all your files have correct permissions. You never know, maybe the hacker was on the same server, then having too permisive permissions could have given him access to your DBB password.
But i think looking at the apache logs will give you the most information (you usually see some script kidies trying urls at random to see if a hole is open, not only in drupal, but on other software [like awstats]).
Hope this helps.
PS : Posting the modules you're using is always a good practice, specially if you're using non-core modules.
You problem is most likely
You problem is most likely with either another script that has access to your database or it could be an attack directly on mysql.
If your database is on the same machine as your webserver make sure only localhost can access it. Also, make sure each one of your scripts uses different usernames and passwords for the databases and only allow access to the ones they need. The user should not need to drop the entire database.
You may also want to check any homemade or non-drupal scripts for the ability to do SQL injections. This is one of the most frequent causes for data is loss in databases. The tips Cerel gave apply too.
You should also look into backup. I think this module will help you as well: http://drupal.org/project/backup
I don't have anything else than Drupal
This is one of the sites where I didn't use anything else than Drupal because I didn't need, Drupal was more than enough for everything.
Database is managed by 1and1 hosting company which allows only one db user with full rights, very bad.
1&1 puts the databases on
1&1 puts the databases on separate servers, with connections blocked by the firewall, so there shouldn't be any way someone could log into the database directly. If someone had the database password and their own 1&1 account, they could access it that way, or (obviously) if they broke into your account somehow. But mostly likely is as others said, via some hole in a Drupal script.
Most of their plans have multiple databases, so it's not a matter of having multiple users. You create a different database for each purpose, and each one gets its own db user. Also, I don't know why you say you can't change your password; I have change password functions on my 1&1 account for both the database and the control panel.
Gary Feldman
correction
"I can't change my user password in hosting company but will request to be done."
this statement is false I can change both password, I wasn't aware, I've just changed the admin panel password.
a hole in a drupal script which I have been unable to find, looking through the apache access log for keywords such as delete or drop didn't hep me find anything of value.
please help me
how to chage admin panel password through database (mysql)
resetting account passwords
In case you haven't yet solved the problem, I used the seach terms:
... that is http://drupal.org/search/node/password+reset+mysql and came up with these links:
HTH.
James Sinnamon
http://www.candobetter.org/james
I did try.
I have access to Apache access log but not to mysql's
In Apache logs I can't find a line with the word "delete" or "drop" which should be necessary in the case of a sql injection
I can't change my user password in hosting company but will request to be done.
I don't have phpmyadmin installed on my own, only available through 1and1 admin.
Thank you for trying to help but if I was the person reading this thread I wouldn't have a clue, why not for exemple, deleting all tables instead of just the node_revisions in the first place?
using non core modules:
buddylist Enable buddy list functionality.
codefilter Provides tags for escaping large pieces of code automatically.
emailpage Provides and "email this page" link to all nodes
front_page Allows you to setup custom front pages for your site. After enabling this module, click on admin/settings/front_page to setup your custom front pages.
gsitemap Creates a Google Sitemap at q=gsitemap
inactive_user Automatic handling of inactive users.
invite Allows users to send GMail style invitations, and automatically escalates new users who use them to a role of your designation
notify Enables notifications by e-mail.
page_title Enhanced control over the page title (in the tag).
pathauto Provides a mechanism for modules to automatically generate aliases for the content they manage.
poormanscron Runs Drupal cron jobs without the cron application.
porterstemmer Implements the Porter-Stemmer algorithm to improve English searching.
print Allows users to create printer-friendly pages for nodes and profile pages.
profile Supports configurable user profiles.
referral Track users referring others to your site
search404 Shows a 404-page with the results of a search for the keywords in the URI.
service_links Add Digg, del.icio.us, reddit, Technorati etc. links to nodes.
shoutbox This module enables you to display a shoutbox.
similar Lists 10 most similar nodes to the current node.
simplenews Send newsletters to subscribed e-mail addresses.
smartypants Translates plain ASCII punctuation characters into “smart” typographic punctuation HTML entities.
tagadelic Tagadelic makes a page with weighted folksonomy. Folksonomys with lots of articles under them get a big font-size, folksonomy without them, get a small size.
tinymce The TinyMCE Javascript HTML WYSIWYG editor.
trackback Allow for sending and receiving TrackBacks, which is a way for sites to notify another that they have commented on a post.
urlfilter Automatically turns web and e-mail addresses into clickable links.
urllist Creates a list of URLs at q=urllist
user_maintenance Deletes users who self-registered but never logged in.
user_readonly Restrict user/profile editing.
user_status Send user account status change notifications by email.
usernodes Allows admin to set a limit, by node type, for how many nodes a user can create of that type.
userpoints Users earn points as they post nodes, comments, and vote on nodes
week Create block containing a list of weekly archives.
workspace
Drupal Nightmare
Would anyone know what can be the problem if in the tracker view http://www.senserely.com/tracker new nodes are not displayed while in the "latest blogs" block in the top right column, new blog nodes are being counted for?
I'm really about to give up, I've changed my passwords and tried to fix the damage done by the fuck..hacker but without a mysql log it's wild guess by looking at missing tables only!
And here's a recent message from one of my user:
"
Hey by the way... I just refreshed my browser that failed to load your site
hours ago, and I am now logged in - AS YOU! I have access to your
information, editing your settings, your account even your adsense Pub ID (
pub-XXXXXXXXXXXX) !!
You should probably go make sure the pub ID is in fact yours, in case I'm
not the first that has found this hole in security. This is very, very bad.
What software are you using to run the site? If it's commercial, it seems
to be extremely vulnerable and you might want to consider something else as
quickly as possible...
"
But what else to consider? I'd rather close this site and continue my other sites and save me headaches!
Input Formats
Double check the input formats for all nodes and make certain that PHP is not an option.
Hmmm, it seems like some
Hmmm, it seems like some sort of "cookie" or sessions problem.
This user was loged in as admin only when he refreshed his browser ... Try to edit your settings.php to make sessions have a limited time, and also to limit the time the cookie last.
It's really strange.
Oh, by the way, if the hacker used some sql injection in a form using "POST" then searching the logs will don't give you any result.
What you should do is really look at the logs manually around the time the hacker deleted your tables. I know it's alot of work, but it's necessary if you want to find the hole.
And just in case, even if you don't have installed some software doesn't mean the host didn't did it. Sometimes, software like awstats is already installed by the host, even if you didn't asked for it.
backups
I don't think you can really blame Drupal for your failure to backup your system.
It wouldn't matter what CMS you were using, if you don't back it up, you're bound to lose everything at some stage.
Sorry if I sound unsympathetic, but this really isn't "Drupal's fault".
Let's not be so harsh. Just
Let's not be so harsh. Just because a person isn't wearing both a belt and suspenders doesn't mean the belt maker is blameless when it breaks and the person's pants fall down.
In other words, yes people should be backing up their sites regularly, but serious lossages due to Drupal bugs are severe and must be taken seriously. (And, as far as I can see, Drupal developers do take them seriously.)
In this case, I don't think there's enough information to know whether there's a problem in Drupal that contributed to this, or it's a configuration error, a bug in some module, some change made by the user, a hole in the hosting provider's security, or that most common of causes, password guessing. It may be some combination.
So while I wouldn't say it's Drupal's fault, I also wouldn't say it's not Drupal's fault. We don't know, and in the absence of extensive logs and more complete configuration information, we may never know. But it's not something to ignore, nor should the user be blamed for being a typical user. For that matter, blame and fault are words that should be avoided; they don't solve the problem.
Gary Feldman
I will also note that there
I will also note that there was a security advisory out some time ago to update to 4.7.3 due to a posible exploit. Don't forget that there is also the security of Apache, php, any other apps on the server......
http://drupal.org/node/76748
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
I'm not blaming Drupal! I
I'm not blaming Drupal!
I know I should have done backups which could have saved me 5 months work plus the work of others, but the fact is even after starting anew and upgrading drupal to 4.7.3 the database is still open to table dropping by this particular hacker, of course not everyone is able to do that and thank Drupal security for that!
Since last message, I've deleted the session table and have change the auto_increment value in the node table, at first it didn't work but then it somehow resolve the tracker issue and as of now everything is working fine. I suspect the hacker didn't come back yet.
change your passwords, etc
At this point... full backup. Change your passwords. Change your accounts. Check Apache... ask your host (if shared) to check the server. Check for MySQL accounts on the MySQL server with access/rights to your database... They may be going in through a completely different account on the server... So many avenues.
Most of these are generic 'What to do if you've been attacked/hacked' stuff not specific to Drupal but to IT Support in general. In the past, when I was called to work on a system that had been hacked/exploited, we would just recover data and then wipe the box and rebuild from scratch with the latest patches, etc. Once a given box has been successfully hacked, then there is great difficulty in trusting the integraty of the system.
Drupal is is only the php applications scripts part of the eco-system. The rest of the environment needs to be examined. OS, Application (MySQL, Apache). Other services it provides. How protected is the box to begin with (behind a firewall, etc).
I realize this may not be directly helpful right now. I'm trying to help give you areas you can look at for vectors this person is attacking you from. You can log ip addresses. You can up the http tracking and maybe by looking at the URL requests being logged you can see how this person is getting in and from what IP Addresses to associate with an address.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
my drupal site 'enhanced' through unknown security hole
Some time ago, I heard that a contact of an acquaintance had somehow fixed the search capability of my drupal site, without having had access to any accounts other than 'anonymous' nor to Unix shell accounts as far as I can tell.
Whilst the change was helpful, if only momentarilly, I feel alarmed that such a change could have been made.
I haven't been able to learn how the change was made, although I am still trying to find out from the person himself, whom I have yet to make direct contact with.
All access for administrative use has been made through a https connection.
My mysql database can only be accessed through localhost.
Could anyone suggest how I go about dealing with this?
What forums discuss security weaknesses in drupal?
Thank you
James Sinnamon
you contact the
Security team. Now the best guess about this unknown person is that they ran cron.php on your site and updated the indexes. Unless you change htaccess file anyone can run cron.php on your site. Not a big deal.
YOU should also make sure that your site is up to date with the latest point releases. I doubt your site was exploited, unless of course it's not the current released point release.
Click the Support tab. On the left hand side, second group down you will see several options to contact the security team.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide
Thanks Steve. I will do as
Thanks Steve.
I will do as you suggest.
I hope you are right about cron.php
I am not now using .htaccess. Instead I work on the apache2 configuration files. Intuitively it seems likely to me that the former would, to a tangible degree, degrade the performance of the site.
Also I appreciate the message in your siganture : "Test site, always start with a test site."
I am attempting to mirror my live site onto a local test machine. Not good practice to be constantly tampering with a live machine as I have been doing.
James Sinnamon