iSKORPiTX; a Turkish Hacker, has Struck Again

I had a phone call today that a site that I support was not available and their was a very strange home page.

After doing a research, it appears to me that iSKORPiTX; does this sort of thing from time to time, every 3-6 months or so. I found one place where someone said he attacked over 20,000 sites in under 24 hours.

So what does he do? Well, that's the good news, he doesn't appear to do great harm (even though he could.) In this case, I believe he got access to an Admin account at Drupal Value Hosting, then he when to every site on the server farm and replaced the index.php file with his own HTML code that says his name and the Turkish flag.

We had a non-functioning site in a sub-directory, and he replaced the index.php there as well. That tells me he likely did a massive find and replace of all the index.php files he found on the server. Restoring the site was fairly simple-- we just copied the original index.php back to the server. Of course, an event like this is always a good reminder of the importance of backups.

For this particular site, the Drupal Backup and Migrate Module has been implemented to backup the database to a tar file on a nightly basis, and the file system is being FTP'd to another server on a regular basis. In other words, we are pretty safe if it happens again. Drupal Value Hosting has been non-responsive as is typical for them. We are currently looking for another Web Host provider who can support Drupal with CiviCRM (which requires the InnoDB MySQL add-on).