Be sure to install mod_security on Apache; it helps a lot.
It is important to know how it got compromised so that you don't move that
to the new system.  Common methods are sql injection and using pages with
poor input validation to run external code.  I don't know how big your
databases are but it's a good idea to dump them to text and skim through
them for unusual text with back ticks ` , @, $, readfile, exec, etc that get
rendered by the front end as code in poorly written pages.  Also look in
your apache logs; you will usually find it there also.

Don't trust any code on your front end; install vanilla versions of them and
re-implement any mods you've made (makes it REALLY obvious how important
adequate documentation is).  It looks like you'll really need to scrutinize
the mason-cm code.
Good luck.

JD
PS: http://mason-cm.itassistance.biz/index


On Tue, Jun 14, 2011 at 22:41, Steve Phariss <sphariss@gmail.com> wrote:

> I may have a job putting a compramised system back into production
> (actually we are moving them from Ubuntu to a RHEL VM...)
>
> I am still lacking some details but they are running apache, Mysql AND
> Postgres, Drupal, and something called  *Mason*-*CM.  I am not sure why
> the two DBs but if there is not a good reason I will move them off of one or
> the other.
>
> Anyone have any good docs on securing Apache, Drupal, the DBs, or Mason-CM?
>
> Thanks
>
> Steve
> *
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>