So, I am guessing that there might be a better forum than this, but I am kind of in a crucial situation. If I should be in another group with this post, please let me know - nothing appeared to me to be better in my search.
Anyhow, I think that I have a compromised install, a recent Drupal 7 site, with Ubercart. I was testing the ecommerce stuff, making small CC transactions, and this morning, I get a fraudelant charge on my card that I've been testing with. Nothing big, $15, and I caught it while it was still pending and cancelled the card. My situation/questions are as follows:
Situation:
- ubercart-7.x-3.x-dev.tar.gz
- Drupal 7.7 (have not moved to 7.8 yet as there were no security fixes)
- my install appears clean, no traces of file replacement
- I DID do one transaction earlier in the week that went over HTTP instead of HTTPS - made from my home network with 128-bit encryption on the wireless. (I know, dumb, dumb, dumb, in my naivete, I assumed that my home network was the only possibility for interception)
- all of the security settings are standard, and all modules are up to date
Questions:
- What is the chance that this was due to the HTTP transaction that I made?
- If there is some sort of compromise on my install, do you know of folks who do Drupal security for a living?
Regards,
Robert
Comments
A couple questions: Did you
A couple questions:
I'd guess it's a pretty low likelihood that it was from the 1 transaction you made.
I don't know of any specific lists of companies that are security focused. There are several service providers listed on http://drupalsecurityreport.org/sponsors who have expertise in that area.
knaddison blog | Morris Animal Foundation
thanks for answering
In answer to your questions:
"use a credit card elsewhere" - yes, this is my regular debit card that I use for buying gas and the like
"virus scanner" - the computer I access from is an Ubuntu Linux install, and yes, it does have a virus scanner (Clam AV) - I have fully scanned and it all appears clean
"shared hosting?" - I am hosting via hostgator - I log in via a jailbreak shell. I assume that it is quasi-shared, but to be honest my knowledge is not that broad.
And thanks a ton for the link and the questions,
r.b.
Hosting
It's difficult to determine the integrity of your site based on the information provided here. Generally if you are compromised it's initially going to happen via web (misconfiguration, unpatched Drupal or module, etc), or at the OS layer via SSH or some other management service. Hostgator has all sorts of add-ons like cPanel which allow additional ways to access the system.
You may want to start by contacting Hostgator and inquiring if they have connection logs. Have a look at any connections to management ports, from 22/ssh to whatever port they place cPanel on. In my limited experience with Hostgator, they did not implement IP-based access control to the management ports which can present a bit of risk. Their logs are also going to be superior to any local logs on the host. Assuming it was compromised, you can also assume that log messages have been wiped.
Perhaps you could just have Hostgator wipe your account (including fresh SSH keys, if applicable) and start over with a fresh machine/install? If the most that happened was a $15 CC charge, it's likely not worth your while to hire someone at a high hourly rate to investigate a breach of a test site.
Those are definitely likely,
Those are definitely likely, but...
To me that's the most likely vector that led to the inappropriate charge: it got copied in your typical use of it in some other place.
I doubt the Drupal site is the way it got attacked.
Note that if you are running an e-commerce site you will need to address the PCI-DSS compliance which will require some more advanced hosting and security audits of the site.
knaddison blog | Morris Animal Foundation