Posted by CoreyTravel on March 3, 2016 at 5:31pm
TC Drupal People,
I've had two Drupal sites running 7.43 and all modules that needed security updates have been updated. No red warning for updates. All FTP & user logins have very strong passwords that change a lot.
However, these sites still got hacked!
My question: Is there something I'm missing or suggestions on must update or better way to protect my Drupal sites?
I do have them monitored and cleaned for Malware, plus multiple back ups to restore from.
Please chime in if you have any feedback or advice for me (from a Drupal viewpoint or not).
Thank you,
Corey
Comments
Hacked
Have you put any security modules in place on points of entry? Captcha, Mollum, Honeypot?
Also the quality of the host's security is a factor in my experience. These measures usually help keep things secure.
not had any problems
I host with AdvantageLabs, a drupal-managed host, and have not had any problems with any hacks, including Drupalgeddon. I rely on them for this protection and I keep track of the other items.
maryann king
http://www.emkayandco.com
So -- what do you mean by hacked?
That could mean a lot of different things. Your main problem here is figuring out first what got hacked and what that means, and then to try to tunnel down and figure out how it happened.
I don't think anyone can help much without a lot more detail about your particular issue, what your hosting environment looks like, etc.
Steve Hanson
Cruiskeen Consulting LLC - http://www.cruiskeenconsulting.com
They're (or bots) hacking
They're (or bots) hacking into my Includes folder and effecting or modifying the bootstrap.inc file and install.inc. From there it adds a bunch of links and files.
Not sure if it's in the database or files? I dumped the whole site and all the files. Reinstalled latest Drupal core and used a "sites" folder from weeks before the hack. I only have one Drupal user set up with a changed very strong password. Also, updated the one FTP access point with a very strong password. However, the site keeps getting hacked.
I did read about setting file Permissions, but that's a little beyond my scope of abilities.
This person had a very similar issue:
http://drupal.stackexchange.com/questions/155467/annoying-drupal-hack-ke...
The sites are on shared hosting, so maybe it's a shared-host hack?
My other option is to set up a firewall for the domain and server.
Any more thoughts on this?
A couple ideas
Shared hosting is a serious possibility. Which host do you use? It couldn't hurt to contact them and ask them to help debug the source.
Pay close attention to the sorts of html (or PHP!) that you're allowing anonymous users to enter into the various forms on your site. PHP is a big no no, and many html tags should also be filtered out.
The permissions that you mention can be a problem. It's definitely something you should check.
I would also install the security_review module (https://www.drupal.org/project/security_review). It helps you identify areas of your site that could have holes in them (including my last two points).
Another module that is a little more difficult to use is site_audit (https://www.drupal.org/project/site_audit). It generates a page that has a list of suggestions, including a list of suspicious or obvious security issues.
And unfortunately, if you've ever been hacked, it's possible that there's something, somewhere, that you haven't fixed. The first thing many hackers do when they gain access is give themselves a back door or unlock additional access.
Do you have git in your hosting? It can be a huge help in finding what changed in your file structure and when. Plus, when you need to roll back to before the hack, it's much easier.
Good luck!
--
David Needham
Team Lead of Training at Datadog
So many unknowns
Could you name the shared hosting company? Is it a reputable company or perhaps an individual/small company? That would give an idea as to the scale/experience level of the security measures put in place. Overall, without knowing how your site is being hosted (Linux stack, Windows stack, Apache, IIS, or NGINX, PHP version/configuration) it's difficult to know what's going on.
The majority of sites I've seen hacked start with sites that allow users to upload files to the server. I've seen cases where at first glance the file looks like a gif, jpg, png, etc is actually is a perl, php, or html page. Especially look for hidden files/directories that you, Drupal, or your hosting provider didn't put there.
When you say:
Did you restore your site under the same shared hosting account and server? Personally, I'd try another hosting provider and see if you have the same issue or at the very least have your hosting provider provide you a different host server. More than likely your vulnerability is the hosting environment/configuration or something contained in your "sites" folder.
Good luck. This is never a fun time, but it's also a good learning opportunity.
Bryan Ruby
socPub
Thank you!
Thank you for all the feedback, you have given me new avenues to pursue and/or think about.
The hosting company is HostGator. Both the sites that got hacked are small non-profit companies, so they picked the cheapest possible hosting for their site.
Best,
Corey
HostGator
I am managing a Drupal site for a nonprofit, as well, and our site was hacked in January of this year (2016), not long after I had updated the Drupal Core software. HostGator contacted my client to tell them about it - they keep a ".security" file in every root directory of a shared account that keeps periodic scans all of your files. "SiteLock" offers expensive Hacker protection and if the site has already been hacked, it's even more expensive. I refused to pay them, and after searching through all of the access logs to determine whether I could identify the problem (I did not), I finally decided to erase and update all files (core & modules) with brand new downloads. It was a royal pain in the you-know-what. Now, less than a week after I updated the core files, again, we get hacked again. Call me paranoid, but wondering if there is a pattern here - does HostGator benefit when their sites get hacked and someone purchases SiteLock?? Just sayin'
Cheap shared hosting
It is entirely possible that even if you deleted the site and started over, if there was ever a security hole that allowed them to write to the server, they could still have a back door via ssh, sftp, or something else and re-hack your brand new website. Without knowing what to look for, you almost have to create a new account with the shared host and start over that way. Even then, shared hosting will never be as secure as other hosting solutions.
--
David Needham
Team Lead of Training at Datadog
Drupalgeddon
Take a look at the solutions to the Drupalgeddon exploit. One aspect of that exploit is that user accounts get installed that allow the attacker to continue to access your webstie even after you have closed the exploit. These accounts could have been created much earlier, and now they are using them to access your site.
There is a tool to scan your website database to find suspicious accounts and files. Use it!