1

A friends drupal site was hacked. What is strange is that the root directory of the installation at the hosting company (let us call it rootdir) was copied (or renamed) rootdir_hacked and the directory rootdir was left one file index.html saying the site is under update.

What I do not understand is how can the hacker create/copy a directory to somewhere outside the rootdir. Shouldn't the security settings of the hosting company prevent this without access via ftp?

Bent
  • 174
  • 6

1 Answers1

0

The vulnerability allows remote code execution, meaning that you can perform arbitrary actions (like performing file system operations) with the privileges of the web server process on the remote host. You can imagine the attacker actually sitting in front of the compromised computer and typing commands in the console.

Here's how Remote Code Execution is achieved: https://www.sektioneins.de/en/blog/14-11-03-drupal-sql-injection-vulnerability-PoC.html

buherator
  • 1,730
  • 1
  • 9
  • 15