Insights into a hacked site

Events happening in the community are now at Drupal community events on www.drupal.org.
wernerglinka's picture
Posted by wernerglinka on June 4, 2015 at 6:20pm

Hi everyone,
I manage a couple of non-profit sites: http://www.peninsulaartinstitute.org/ and http://peninsulamuseum.org/ which are hacked... well, Google tells me that they are ok and several site checkers also tell me the site is clean but when I search for Peninsula Art Institute I get something like this:

Exhibits
cheapest levitra prices doxycycline without gelatin buy viagra ...

I checked the sites - they are implemented as a multi-site - following this list: https://www.ostraining.com/blog/drupal/check-drupal-site-security/ and I found several php files in core module folders. File with names like 1d3ff9.php, fl.php, ofkk.php, etc... I compared the folder content with clean ones and they definitely do not belong there.

I checked the database for these file names but came up empty.

So I removed all these files, but the questions remains, what else do I have to do? Does anybody have insights to share?

Comments

Extra content and text formats

Posted by neeravbm on June 4, 2015 at 6:33pm
neeravbm's picture

Here are the additional steps you can do:
1) If you have git, check its commits and make sure that there is no commit which is done by someone other than developers.
2) Do "git diff" after removing the extra files. This will show if all the core/contrib files have not been tempered with.
3) Go through all nodes and taxonomy terms and make sure that there are no unwanted ones.
4) Check if there is no extra role created.
5) Check if existing roles have correct permissions.
6) Check that higher-level roles (manager, administrator, etc.) are assigned to correct users only.
7) Create a list of all text fields. Query the DB tables "field_data_" and "field_revision_". Find out which content has format set to anything other than Plain Text. Go to those content pieces and make sure that the text area or field doesn't have any JS/PHP code that you don't recognize.

neeravbm has good

Posted by happysnowmantech on June 4, 2015 at 6:59pm
happysnowmantech's picture

neeravbm has good suggestions. In particular, it's important to review the users and roles carefully for any new/changed ones that are suspicious or have inappropriate permissions.

This module will generate a report telling you if any code files have been modified from the official versions downloaded from drupal.org:
https://www.drupal.org/project/hacked

These modules also run some useful checks:
https://www.drupal.org/project/security_review
https://www.drupal.org/project/site_audit

To be safe, you should probably change the passwords for all of the Drupal user accounts, as well as the database password.

It goes without saying, but once you've cleaned up the sites, you should make sure all the latest security updates are applied to Drupal core and contrib modules.

If you have a recent backup of your site (code, database, and user files) that you are very confident is unhacked, another approach is to rollback the site to the known good state by restoring your backup. You would still need to apply all the security updates and change all the passwords after doing so.

Good luck!

Watch this video from Drupalcon LA

Posted by darrylri on June 4, 2015 at 7:46pm
darrylri's picture

This describes, probably, the hack on your site, in detail:
https://events.drupal.org/losangeles2015/sessions/i-survived-drupalgeddo...

--Darryl Richman
http://darryl.crafty-fox.com

Santa Cruz

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: