Fixing Compromised Security

While Drupal is of one of the most secure and fast-reacting CMS, you can still sometimes get hacked or your FTP and/or database passwords can get stolen. You should be aware of some things around this whole issue to help you diagnose:

95% of all security problems arise from you having your FTP login and password stolen by a worm contracted by an infected website. In about 70% of cases, you are the security hole. You should also be aware that the more popular your site is the more possibility that a hacker may actually try to break you. Then you would need more attention that the "Basic Checklist" below.

  1. You neglected your Permissions. Are your permissions at /admin/user/permissions set correctly? Check if any of the roles have a corresponding permission where they shouldn't.
  2. Your FTP could have been compromised with some internet worm. The hacker could have gotten your db data from the settings.php after stealing your ftp data.
  3. You have allowed Full HTML input method on your site visitors to enter in nodes or comments, and a hacker inserted a worm script on your site. You need to disable Full HTML for everybody except trusted users. You need to have your comments and nodes checked for the presence of scripts.
  4. Ill-written scripts, or xss, or holes in the upload modules - How updated are your core and modules? Do they have the latest updates covering the possible script insertion? Do you have custom scripts that may be in fact an open hole? Have you used IE?

The most possible causes:

  1. Your FTP password stolen.
  2. Your cookies stolen with cross-site-scripting.

What you should do (in specified order):

  1. If you have Windows, reinstall it. Format the partition before doing so. (Make sure you backed up the documents elsewhere). Make sure you have an antivirus, Eset NOD32 (best) or Avast (free but good) - both both protect your computer and check sites for worms. Worms are #1 threat that compromises your FTP data. Only after formatting out the previous Windows and reinstalling it there is now sense to change your passwords on the server.
  2. CHANGE ftp password(s) asap. If you have more that one ftp account, change all that can write to server web space.
  3. CHANGE database password asap.
  4. CHANGE your Drupal admin password. If you are using Total Commander - discontinue. If you are using Filezilla - see if you have a backup of FTP hosts and passwords (FileZilla stores exported passwords unencrypted)
  5. Update Drupal to the latest core and modules of the same major branch that have a security release mark on them.
  6. DISABLE Full HTML input method for the untrusted users.