Opened 7 months ago

Closed 7 months ago

#13678 closed Task/To do item (fixed) - apparent hack

Reported by: Owned by:
Priority: Urgent Component: Tech
Keywords: Cc: rogermanningnyc@…,
Sensitive: no


hi MF, Drupal 7 site seems to have some hacking activity. We removed some bogus code from the settings.php file (last modified 12-12-2017), removed a bogus Drupal user (joined '1948) and changed all user passwords.

It seems to be the same issue covered here:

Could you please help out with a bit of site scanning etc?

thanks, rm (new admin)

Change History (6)

comment:1 Changed 7 months ago by

  • Cc added
  • Owner set to
  • Status changed from new to assigned

Hi, yes I think this is likely related to Rooting out all of the possible compromises on a Drupal site can be difficult. I'm coying jamie here for more ideas.

One thing you may want to do for future cases is move to using our centralized Drupal7 install. We normally apply security upgrades there the moment they are released. Drupal is manually installed for We went ahead and intervened to apply all security upgrades for you on Mar 25th when we saw the site hadn't received the previous security upgrade. This may have been too late though.

Last edited 7 months ago by (previous) (diff)

comment:2 Changed 7 months ago by

I just finished removing dozens of compromised files in your installation by comparing your web directory with a clean install (in /usr/local/share/drupal-7).

Let us know if we can convert you to our central install - that will help a lot.

I also notice that git is installed. If you can keep your files committed to git that's another useful way to detect and rollback compromises.

comment:3 Changed 7 months ago by

Good to know that MF ran those updates on this install. I was just recently called in to help with maintenance for the culturesofresistance sites and suspected a manual install for when told there was a core security update pending. I was a bit confused on logging in and finding it updated.

Yes, please convert to a shared Drupal 7 install. Are there any infection concerns regarding the database?

Meanwhile, is on a shared Drupal 7 install and seems fine?

thanks, rm

Last edited 7 months ago by (previous) (diff)

comment:4 Changed 7 months ago by

Unfortunately, the site appears to have been re-compromised :(. I just converted your site to use the central drupal install (which should help some with re-infection since your user doesn't have permission to write to core directories).

But... it does mean there is still a backdoor somewhere.

I would start with downloading a fresh copy of each third party module. I'm pretty sure that's where the still existing compromised code lives.

Then, reset all passwords.

If you still get re-infected, then your question about the database comes into play - we can try to examine the tables to see if someone has inserted backdoor code into the database itself.


p.s. and yes, is using the central drupal install and appears ok.

comment:5 Changed 7 months ago by

Thanks for converting the site to the central drupal install.

All the contrib module files have been replaced with fresh copies and the 3 custom modules checked. There was one infected custom module file which has been cleaned (modules/custom/moviecarousel/moviecarousel.tpl.php). Same process for the libraries and the custom theme.

Found infected "index.php" files in many of the "files" directory sub-directories and they have been removed. Checked other non-image files in that area and they seem ok. (Used: find "files" -type f -exec grep -Iq . {} \; -and -print)

Passwords for users, SFTP, and database have been updated.

Let us know if we're good.

Thanks again, rm

comment:6 Changed 7 months ago by

  • Resolution set to fixed
  • Status changed from assigned to closed

Excellent - thanks! Let's hope this does the trick. We'll re-open if we notice a re-infection.

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.