I'm hosting a few Drupal 5 & 6 installs on Rackspace Cloud Servers; so far, no problems, but I'll definitely be on alert now.
Also FTR, I've seen a similar (but not quite identical) sort of attack on a xcart installation on another host. Thanks, Matt On Wed, Jan 27, 2010 at 8:56 AM, Steve Power <[email protected]> wrote: > http://la-samhna.de/samhain/ if you have the resources to run it (its > complex) > > Or, an afternoons work should have something nice going on if you use > tripwire http://sourceforge.net/projects/tripwire/ > > Not sure how to do this on a shared host tho. > > On Wed, Jan 27, 2010 at 4:41 PM, Steven Jones > <[email protected]> wrote: >> >> > Is it a good security tip to monitor the integrity of Drupal sources by >> > using MD5 hashes on the files ? >> > Is there a known/efficient way to achieve this ? >> >> http://drupal.org/project/md5check >> >> But this is a drupal module, and thus pretty useless, because it is >> part of the system that you're looking to stop being modified. Better >> to just hash some files on cron or something if you care to leave your >> drupal installation writeable by the web server. >> >> Regards >> Steven Jones >> ComputerMinds ltd - Perfect Drupal Websites >> >> Phone : 024 7666 7277 >> Mobile : 07702 131 576 >> Twitter : darthsteven >> http://www.computerminds.co.uk >> >> >> >> 2010/1/27 Nicolas Tostin <[email protected]>: >> > Is it a good security tip to monitor the integrity of Drupal sources by >> > using MD5 hashes on the files ? >> > Is there a known/efficient way to achieve this ? >> > >> > >> > ----- Original Message ----- >> > From: "Laura" <[email protected]> >> > To: <[email protected]> >> > Sent: Wednesday, January 27, 2010 9:53 AM >> > Subject: Re: [development] Fully patched site hacked and cloaked >> > >> > >> > On Jan 27, 2010, at Wed 1/27/10 4:45am, Gerhard Killesreiter wrote: >> > >> >> Were you able to determine the attach vector that was used to be able >> >> to modify bootstrap.inc? >> > >> > I just saw this performed on a D5 site. Bootstrap.inc was indeed >> > altered, an >> > additional system.php file was inserted in the modules folder, and the >> > pernicious (drug) website files were inserted into the cgi folder >> > *above* >> > the webroot. The code was sniffing passwords. Several files contained >> > nothing but hashes. >> > >> > I mention this because if we see a pattern across many sites, this >> > entire >> > conversation should move to security reports offline. >> > >> > Laura >> > >> > > > > > -- > -- > -- > Steve Power > Principal Consultant > Mobile: +44 (0) 7747 027 243 > Skype: steev_initsix > www.initsix.co.uk :: Initsix Heavy Engineering Limited > -- >
