#13678 closed Task/To do item (fixed)

culturesofresistancefilms.com - apparent hack

Reported by: https://id.mayfirst.org/corinaction Owned by: https://id.mayfirst.org/jaimev
Priority: Urgent Component: Tech
Keywords: Cc: rogermanningnyc@…, https://id.mayfirst.org/jamie
Sensitive: no


hi MF,

culturesofresistancefilms.com Drupal 7 site seems to have some hacking activity. We removed some bogus code from the settings.php file (last modified 12-12-2017), removed a bogus Drupal user (joined '1948) and changed all user passwords.

It seems to be the same issue covered here: https://www.drupal.org/forum/support/installing-drupal/2015-10-01/do-i-have-a-virus-or-am-i-under-attack

Could you please help out with a bit of site scanning etc?

thanks, rm (new admin)

Change History (6)

comment:1 Changed 11 months ago by https://id.mayfirst.org/jaimev

  • Cc https://id.mayfirst.org/jamie added
  • Owner set to https://id.mayfirst.org/jaimev
  • Status changed from new to assigned

Hi, yes I think this is likely related to https://www.drupal.org/psa-2018-002 Rooting out all of the possible compromises on a Drupal site can be difficult. I'm coying jamie here for more ideas.

One thing you may want to do for future cases is move to using our centralized Drupal7 install. We normally apply security upgrades there the moment they are released. Drupal is manually installed for culturesofresistancefilms.com. We went ahead and intervened to apply all security upgrades for you on Mar 25th when we saw the site hadn't received the previous security upgrade. This may have been too late though.

Last edited 11 months ago by https://id.mayfirst.org/jaimev (previous) (diff)

comment:2 Changed 11 months ago by https://id.mayfirst.org/jamie

I just finished removing dozens of compromised files in your installation by comparing your web directory with a clean install (in /usr/local/share/drupal-7).

Let us know if we can convert you to our central install - that will help a lot.

I also notice that git is installed. If you can keep your files committed to git that's another useful way to detect and rollback compromises.

comment:3 Changed 11 months ago by https://id.mayfirst.org/corinaction

Good to know that MF ran those updates on this install. I was just recently called in to help with maintenance for the culturesofresistance sites and suspected a manual install for culturesofresistancefilms.com when told there was a core security update pending. I was a bit confused on logging in and finding it updated.

Yes, please convert culturesofresistancefilms.com to a shared Drupal 7 install. Are there any infection concerns regarding the database?

Meanwhile, culturesofresistance.org is on a shared Drupal 7 install and seems fine?

thanks, rm

Last edited 11 months ago by https://id.mayfirst.org/corinaction (previous) (diff)

comment:4 Changed 11 months ago by https://id.mayfirst.org/jamie

Unfortunately, the site appears to have been re-compromised :(. I just converted your site to use the central drupal install (which should help some with re-infection since your user doesn't have permission to write to core directories).

But... it does mean there is still a backdoor somewhere.

I would start with downloading a fresh copy of each third party module. I'm pretty sure that's where the still existing compromised code lives.

Then, reset all passwords.

If you still get re-infected, then your question about the database comes into play - we can try to examine the tables to see if someone has inserted backdoor code into the database itself.


p.s. and yes, culturesofresistance.org is using the central drupal install and appears ok.

comment:5 Changed 11 months ago by https://id.mayfirst.org/corinaction

Thanks for converting the site to the central drupal install.

All the contrib module files have been replaced with fresh copies and the 3 custom modules checked. There was one infected custom module file which has been cleaned (modules/custom/moviecarousel/moviecarousel.tpl.php). Same process for the libraries and the custom theme.

Found infected "index.php" files in many of the "files" directory sub-directories and they have been removed. Checked other non-image files in that area and they seem ok. (Used: find "files" -type f -exec grep -Iq . {} \; -and -print)

Passwords for users, SFTP, and database have been updated.

Let us know if we're good.

Thanks again, rm

comment:6 Changed 11 months ago by https://id.mayfirst.org/jamie

  • Resolution set to fixed
  • Status changed from assigned to closed

Excellent - thanks! Let's hope this does the trick. We'll re-open if we notice a re-infection.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.