Re: [development] Fully patched site hacked and cloaked

[Nilesh Govindarajan]

On 01/27/2010 08:09 PM, David Shaver wrote:

Sounds to me like Gumblar Virus see this link
http://blog.scansafe.com/journal/2009/11/18/where-to-look-for-gumblar-backdoors.html

David A. Shaver
D. A. Shaver Web Design
Web Page Design for Small Business
www.dashaver.com <http://www.dashaver.com>
PO Box 594 Galesburg,IL 61402-0594
309.343.0027



On Wed, Jan 27, 2010 at 8:22 AM, Ken Rickard <agentrick...@gmail.com
<mailto:agentrick...@gmail.com>> wrote:

    I had something similar happen on WordPress. It was a simple FTP
    (non-secure) password sniffer watching network traffic to the host.
    My site would get hacked within twenty minutes of making a change via
    FTP.

    I finally forced the hosting provider to support SFTP for my account.

    On Wed, Jan 27, 2010 at 7:14 AM, Adam Gregory <arcanea...@gmail.com
    <mailto:arcanea...@gmail.com>> wrote:
     > This is more a server security issue rather than a Drupal one.
    I've seen
     > this happen with Drupal, Joomla, Wordpress and custom PHP code.
    It really
     > most likely means that access to the server/host was compromised
    at some
     > point.
     >
     > There are lost of things that can be done to prevent this like
    chmod/own-ing
     > your file system correctly(As Gerhard touched on). This is also a
    good
     > reason to use SFTP rather then FTP as passwords in SFTP are sent
    encrypted
     > and FTP are not leaving them open to a man-in-the-middle attack.
     >
     > Ultimately though it's a good example of how Drupal can only go
    so far in
     > keeping itself secure but there are still plenty of other ways
    out side
     > Drupals area of responsibility that your site can be compromised.
     > -----
     > Adam A. Gregory
     > Drupal Developer & Consultant
     > Web: AdamAGregory.com
     > Twitter: twitter.com/adamgregory <http://twitter.com/adamgregory>
     > Phone: 910.808.1717
     > Cell: 706.761.7375
     >
     >
     > On Wed, Jan 27, 2010 at 6:53 AM, Fred Jones
    <fredthejones...@gmail.com <mailto:fredthejones...@gmail.com>>
     > wrote:
     >>
     >> > I also wonder whether Drupal could be adjusted so as to
    automatically
     >> > set
     >> > file bootstrap.inc, and perhaps other critical ones, as
    read-only. So
     >> > far it
     >> > is done only with settings.php file.
     >>
     >> Well if they did it via FTP, that wouldn't help...
     >>
     >> F
     >
     >



    --
    Ken Rickard
    agentrick...@gmail.com <mailto:agentrick...@gmail.com>
    http://ken.therickards.com

No Flame Wars, but using Linux prevents viruses ;)

--
Nilesh Govindarajan
Site & Server Adminstrator
www.itech7.com