Hack attack

  • I think the VUXXX user is the problem since listing the modificated documentums the user who made the changes was the VUXXX user, somehow they used it, if I run Drupal without i-mscp they couldnt use the VUXXX user, so somehow it must be related.
    By disabling I mean, you can disable user with Ubuntu:


    sudo passwd -l [user_name]


    I dont know the type of the attack, also I dont know how should I provide logs.
    All what happened is, they were able to add files (new index.html / jpeg, adminer.php) to the root, and remove the old index.php. All actins were done by VUXXX user.



    You're thinking wrong ;) As far as can see, you make some assumptions without understanding how the whole thing is working. The vuxxx user is an unix user without shell access ;) Thus, disabling that user by running the sudo passwd -l [user_name] command will not have any effect... It is normal that any change made inside your document root (htdocs) is done by the vuxxx user because the drupal PHP scripts are run under that user. Again, you must check your drupal application for any security hole, malware and so on.


    TO RESUME: The problem here is not the vuxxx user nor i-MSCP. The problem is your drupal application ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • That's the way it's supposed to be, please check my other message


    I found the auth.log file, and it's scary, a thousands of this try happening since a long time:


    I cant find the ftp log tho, isnt it in var/log?

  • @ssibal


    https://www.ostraining.com/blo…eck-drupal-site-security/


    BTW: Scared about what exactly? All those SSH connection attempts? The pam library do its job ;) You could change ssh port and install fail2ban to protect your server. Almost every servers are victim of dictionary attack on default ssh port ;) The problem here is that you're a beginner ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @Nuxwin


    Thank you to make it clear to me! I really appreciate your thoughts you shared!
    Of course it's being off topic now, but can you give me some hints how to find security issues within the drupal application in general?

  • @ssibal


    Read my previous answer ;) I've given you a link which could help you to check your drupal site ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @Nuxwin


    Yes-yes, thank you very much! Am diving into the topic deeply! And you are right am a beginner, I will need to expand my knowledge in this topic! (gonna read book, forums, and so on!)

  • @ssibal


    You're welcome. We have all started a day ;) You should take more time to learn and think before crying about something that you don't really understand ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • The actual Production Drupal version is 7.34
    The version you use is for sure quite old, and as far I can imagine your modules also.
    Updates of Drupal and Drupal modules are not just for bug corrections, but often also for security reasons.


    What you have to do:
    1. download your drupal personal files (sites/default/settings.php, sites/all/themes, sites/default/files, etc)
    2. type down the list in sites/all/modules
    3. put your actual site under maintenance
    4. delete all your files in your htdocs directory
    5. download drupal 7.2 and upload it to your webserver (from drupal website)
    6. download all your modules and upload them to your modules directory (from drupal website)
    7. upload your personal files
    8. run cron on your site
    9. download the latest drupal version and upload it to your site
    10. upgrade your site (http://www.xxxyyyzz.com/update.php)
    10. upgrade all your modules to the latest version (using available updates checker in drupal and follow the procedure)
    11. test your site and come out of maintenance


    At the end you'll be sure that you'll have a clean install of drupal without viruses or hacked files and you'll also have the latest versions installed.
    Before beginning this procedure BACKUP YOUR SITE AND DB !!!

  • @kess
    Even easier is to


    1. Back-up your files and databases (check if you have any hacked core files/themes that you need to save)
    2. Install Drush ( apt-get install drush / pear channel-discover pear.drush.org - pear remote-list -c drush - pear install drush/drush )
    3. Go to your root directory (where your main index.php is)
    4. Type drush up
    5. Read carefully what updates are available