By gr33nman on

Shared hosting on dreamhost.
Drush status:
Site URI : http://default
Database driver : mysqli
Database hostname :
Database username :
Database name :
Database : Connected
Drupal bootstrap : Successful
Drupal user : Anonymous
Default theme : zen-based theme
Administration theme : garland
PHP configuration : /etc/php5/cgi/php.ini
Drush version : 5.4
Drush configuration :
Drupal root : /home//mysite.com
Site path : sites/default
File directory path : files (symbollically linked from web root to /sites/default/files)
temp : /home//drupal/tmp

My home computer is protected by Norton, and it recognizes the c99 file and eradicates it if I try to download it on my own computer, so it's not getting in through me. I have no other users for this site. All passwords are changed.

I'm at a loss for how it's happening. I update all the modules. I've changed all the passwords. It doesn't seem to matter. Someone keeps getting in with an old (2005) c99.php hack. They don't mess with the look of the site. They just cause all search engines to think I'm a cyber-squatting canadian pharmacy site, while real people see the real site. That's not working for me.

The captain crunch site editor always gets stuck in the includes folder with a different random name each time. No other files are changed or manipulated as far as I can tell. The logs show lots of attempts at sql injection. (?map_page=7, ?map_page=68, ?map_page=40, etc.)

This hack hasn't been changed since 2005, but someone is using it to get into a fairly standard drupal 6 site using fairly standard sql injection and installing malware on my site. Below are all the modules I have enabled. I could use some suggestions as to how to get rid of the hacker. On the bright side, at least I'm learning about drupal security.

Enabled modules:
admin_menu
adminrole
adsense
adsense_click
adsense_cse
adsense_managed
advanced_help
antispam
autocomplete_widgets
autoload
backup_migrate
better_formats
block
blockanonymouslinks
blocks404
bulk_export
calendar
calendar_ical
captcha
checkbox_validate
cmf
color
comment
comment_notify
computed_field
conditional_fields
contact
content
content_copy
content_permissions
ctools
ctools_access_ruleset
ctools_custom_content
ctools_plugin_example
date
date_api
date_locale
date_popup
date_repeat
date_timezone
date_tools
dblog
dhtml_menu
draggableviews
draggableviews_cck
draggableviews_taxonomy
email
embed_gmap
emfield
eminline
emvideo
extlink
feeds
fieldgroup
filefield
filefield_sources
filter
fivestar
front_page
goaway
google_cse
googleanalytics
help
htmlmail
image
image_captcha
image_caption
image_gallery
image_im_advanced
image_import
imageapi
imageapi_gd
imageapi_imagemagick
imagecache
imagecache_profiles
imagecache_ui
imagefield
imce
imce_crop
imce_mkdir
imce_wysiwyg
img_assist
input_format_permissions
jcalendar
job_scheduler
jquery_ui
jstools
libraries
lightbox2
link
links
links_admin
links_related
links_weblink
locale
mailsystem
markdown
media_youtube
menu
menu_breadcrumb
mimemail
mimemail_compress
mobile_tools
mollom
myaccount_alter
node
nodequeue
nodereference
nodereference_url
nodewords
nodewords_basic
nodewords_extra
number
options_element
optionwidgets
page_manager
paging
panels
panels_ipe
panels_mini
path
pathauto
phone
print
print_pdf
recaptcha
rfireport
rules
rules_admin
search
seochecklist
simpleviews
site_map
site_verify
stringoverrides
stylizer
system
tabs
tac_fields
tac_lite
taxonomy
taxonomy_access
taxonomy_breadcrumb
teaserbytype
text
tinyids
token
token_actions
tokenSTARTER
tvi
unique_field
unlimited_css
update
user
userreference
vertical_tabs
views
views_accordion
views_attach
views_bulk_operations
views_content
views_export
views_fluid_grid
views_ui
votingapi
webform
webform_report
workflow
wysiwyg
xmlsitemap
xmlsitemap_custom
xmlsitemap_engines
xmlsitemap_menu
xmlsitemap_modal
xmlsitemap_node
xmlsitemap_taxonomy
zipcode

Categories: Drupal 6.x

Comments

dnewkerk’s picture

dnewkerk commented

You may have done this already, however here's what I would do (for this you'll need to run a local development environment like WAMP or MAMP):

  1. Export a copy of your database and download it to your local computer. I'd recommend first emptying out the sessions table, and all tables prefixed with the word "cache". Also download a copy of your files directory and download your active theme, however keep these separate for now. This is ALL you should download... core and all modules, added themes, etc should be left behind. Leave the .htaccess files, settings files, etc behind.
  2. If the database isn't prohibitively huge, open the .sql file in a text editor (not sure your platform, but if you use a Mac, TextWrangler is a free editor that tends to handle large files well) and do some searching for anything related to the hack that you know of, and search for "php" to see if that occurs anywhere in the database, and why. If the file is huge, then at least try searching its contents without opening the file using you OS's search tools, or a third party tool. Once you've searched thoroughly, import into a new empty database.
  3. Re-download Drupal core and all your modules directly from drupal.org. Since you appear to use Drush, that shouldn't be too hard (drush dl module1 module2 module3). While you're at it, if there are any modules you don't actually need, note those and plan on uninstalling them once the site is up and running.
  4. Your theme is a bit more tricky. First though, make sure you have the latest copy of the Zen parent theme. Themes can have PHP of course so you'll need to carefully audit every file from your theme that you choose to keep. Even images can secretly hold PHP code inside. If you're very paranoid (as I would be in this case) I wouldn't trust a single thing... I'd copy and paste the text from each file into new fresh files that I recreated. You can maybe be slightly lax on assessing every single line of CSS, but you "should" assess every single line of any template file that's capable of running PHP. I would open every single image in Photoshop and see if anything odd happens. I might even re-export the image assets from the original PSD files, or at least "save as" each image and create new files.
  5. Next your files directory... immediately toss all automatically generated files (CSS, JS, images from ImageCache, XMLSitemap, whatever). They can all be regenerated just fine, so rule out anything hiding in there. I'd recommend you throughly audit every file remaining if you can. At the very least, mass open bunches of images files at once and see if any have odd behavior.
  6. Configure your new settings.php file to point to your new database, then visit the site. Hopefully everything comes up. Now's the time to begin uninstalling any of those modules you don't actually need. Once uninstalled, delete the module's folder.
  7. Double check that a new .htaccess file has been generated for you inside your files directory.
  8. If you're using the PHP input filter anywhere on your site for any reason, stop. Get rid of that thing.
  9. Backup your live site one last time, then delete it completely. Every single file gone. Database completely deleted and recreated from scratch, using a different name and different password. Upload your new site and import your database. I don't know if Dreamhost support SFTP, but if at all possible do NOT use regular FTP (password and data are sent through the internet unencrypted for all to see).
  10. Follow the advice on this page to get file permissions/ownership set correctly. If your host supports it, set your temp directory to /tmp, which they hopefully have set up correctly to avoid any files being executable in. If you have to use your own temp directory, make absolutely sure that the permissions are as limited as possible, and absolutely no executing permissions (both for the directory and anything in it).

When it comes down to it, this is a shared host though, so it's always possible for a misconfiguration or oversight on the host's part to allow a different customer's insecure site being hacked to compromise the whole server and all other customers, no matter how secure your own site is.

Hope this helps, and good luck!

gr33nman’s picture

gr33nman commented

David,

Thank you very kindly.
I'm working through your directions now.
I'm also taking the extra precaution of creating a new shell user and new database to further isolate the clean reinstall.
Please stand by.

Chris

gr33nman’s picture

gr33nman commented

As I look through the various files that drupal can't account for via diff, I decided to use diff to watch the site as the hacker intrudes. First, he puts the c99 file someplace like includes/ or themes/engines or somewhere else in core. Diff clearly shows where the new file is, so I just delete it. When successful, he points an include to the file from bootstrap.php.

I've turned off comments and search. I've not been using php input filter. It's still a bit of a puzzle what the weak link is. I still think it's something in core. Meanwhile, at least I can watch and try to fend off his continued attempts on the hacked site while I prepare the clean install elsewhere. It all seems very polite, almost like a cat trying to nose its way onto your dinner plate. The method is purely meant to feed off the site in the background with the hopes I won't notice.

Still working on the clean install...

jmwhitco’s picture

jmwhitco commented

Can you have dreamhost block his IP address? They should be able to see in the logs what IP is doing the edit. Block the IP, and he'll have to work harder to keep coming back.

gr33nman’s picture

gr33nman commented

jmwhitco, thanks for your reply.

For script kiddies, /project/goaway is probably enough. These guys are a little better than script kiddies. Unfortunately, most professional hackers are using torpark or some other anonymizing, ip-rotating browser that disguises a visitor's IP with each visit. The first time it looks like someone from Switzerland. Next time it's the same guy, but from somewhere in the Federated Russian States, etc.

Fortunately, I alerted Dreamhost to the matter. They scanned each ssh and ftp user on the account in question and gave me the skinny on which sites were likely compromised. Two I was aware of. One I was not. Most sites and users were unaffected. Thank goodness.

Following Keyz suggestions and going through the list of compromises found by Dreamhost, I was able to get rid of the infectious software. Now, I've got a sort of system using diff to audit website integrity. It's certainly not perfect. Right now, I'm checking on a daily basis for the sites that were infected. I'm thinking about using rsync to do something automated from a protected server at home because I think it might be quicker and more secure.

I'm breathing a bit easier! Again - thanks for your reply.