Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By ericwongcm on
Hi all,
As someone kindly pointed out to me, my Drupal sites are infected with "Exploit Blackhat SEO (type 1703)".
Closer examination shows that ALL Drupal 6/7 sites I am running on the same shared server are affected. Note that I am not using multi-site Druapl installation, EVERY Drupal installation on my server uses its own folder and source code.
This includes Drupal sites that are not indexed by search engine and are used for development/testing purposes only.
I have tried to search for this issue on Google and Drupal.org but I am unable to find someone who encountered something similar to what I had. I do see plenty of posts on for such infection on wordpress.
Hence, I am sharing my experience here and hope this will eventually help others too.
I have contacted my web host and they have confirmed that this is an account specific issue, i.e. the server is not affected/hacked but only my account,
My web host identified using antivirus that this file is malicious
/public_html/drcnf.php
You can download this file at this link
https://dl.dropboxusercontent.com/u/63859984/infected/drcnf.zip
I hope whitehat developers can examine this file and use it to protect the Drupal community against hacks.
On my main site, I have also manually identified that this folder which contains many folders/files which I did not upload and not included in Drupal installation
/public_html/scripts
You can download this folder at this link
https://dl.dropboxusercontent.com/u/63859984/infected/scripts.zip
From cpanel traffic stats, I also see large number of traffic accessing this php from this folder
/public_html/scripts/sysdatas2e04.php 24,564
(This stat is only for one month!!)
cpanel stats also shows high amount of traffic coming from these countries while my web server is infected.
As the info below shows, I believe this infection/attack originates from Russia as many of the hidden links contains Russian characters or dot ru domain names.
Countries Pages Hits Bandwidth
ru Russian Federation ru 25,453 25,871 431.44 MB
us United States us 6,757 11,324 436.85 MB
ua Ukraine ua 6,224 6,289 380.69 MB
cn China cn 3,292 7,362 4.64 GB
(this stat is for August 2014)
If I look at the Drupal site's html source page, I will see these hidden links..
Note: I have replaced my site's domain name to www.mysite.com
<div id="store-footer">Supported by Ubercart, an <a href="http://www.ubercart.org/">open source e-commerce suite</a>.</div> </body>
</html>
<script type="text/javascript">
document.write('<' + 'di' + 'v sty' + 'le="position: absolute; l' + 'eft: -1940px; t' + 'op' + ': -2865px;">');
</script>
<a href="http://www.mysite.com/scripts/index.html">рак лев гороскоп на сегодня</a>
<a href="http://www.kpispu.info/scripts/index.html">телефонная база новосибирска по мобильным телефонам</a>
<a href="http://naturaljob.com/config/index.html">ссылка</a>
<a href="http://www.chaosandcolor.org/includes/index.html">здесь</a>
<a href="http://source-all.com/profiles/index.html">база</a>
<a href="http://elhamdsteel.com/awstats/index.html">как найти адрес нижегородской области по номеру телефона</a>
<a href="http://cs.demo.dot.com.jo/modules/index.html">справочник городских телефонов по г москве</a>
<a href="http://freedomflight.info/mysqldumper/index.html">найти адрес по телефону и фио</a>
<a href="http://www.clinicasanjudastadeo.com.pe/paginas/index.html">узнать адрес по домашнему телефону в челябинске</a>
<a href="http://ecureports.demo.dot.com.jo/modules/index.html">справочник телефонов</a>
<a href="http://preownedwatchessingapore.com/sell/index.html">программа определить местонахождение абонента</a>
<a href="http://www.boosterkar.net/editor/index.html">норильск справочник телефонов</a>
<a href="http://bc2000plumbing.com/Moncler_g9/index.html">найти адрес</a>
<a href="http://0x4b.com/wp-includes/index.html">телефонная</a>
<a href="http://wzornictwo.asp.waw.pl/images/index.html">как найти электронный адрес человека по фамилии</a>
<a href="http://www.focusgolfproducts.com/images/index.html">справочник домашних номеров телефонов оренбурга</a>
<a href="http://arkalika.ru/wp-content/index.html">поиск адреса по номеру городского телефона</a>
<a href="http://admin.vanguard.verasoftlabs.com/js/index.html">смс перехватчик отзывы</a>
<a href="http://kamagrablog.ru">Блог о препарате Камагра</a>
<a href="http://borisgamer.ru/">Все</a>
<a href="http://womanviagrablog.ru">здесь</a>
<a href="http://www.mysite.com/scripts/sitemap.xml">sitemap</a>
<script type="text/javascript">document.write('</d' + 'iv>');</script>
Further examination of all my site's files and traffic stats shows that my other Drupal sites have similar infection as the script folder up there. The only difference is that the files/folders are injected/uploaded into Drupal's modules folder rather than the scripts folder.
In the sysdatas2e04.php file says...
/*
Plugin Name: Akismet
Plugin URI: http://akismet.com/
Description: Akismet checks your comments against the Akismet web service to see if they look like spam or not. You need a <a href="http://wordpress.com/api-keys/">WordPress.com API key</a> to use it. You can review the spam it catches under "Comments." To show off your Akismet stats just put &lt;?php akismet_counter(); ?&gt; in your template. See also: <a href="http://wordpress.org/extend/plugins/stats/">WP Stats plugin</a>.
Version: 2.2.6
Author: Matt Mullenweg
Author URI: http://ma.tt/
*/
If I go to http://akismet.com/ this looks like a legitimate service but somehow my antivirus says this sysdatas2e04.php file contains virus.. I don't understand why..
In my infected Drupal sites, this php file can be found in the modules folder using different file name, such as xml7xaz8.php, xmltun.php, etc.
Comments
I believe I have identified,
I believe I have identified, remove all traces of infection and closed all security holes I had on my server which possibly lead to the infection/hack.
I see some of my sites have this warning and I think this is possibly one of the router the hackers used.
This is in addition to the outdated Drupal 6/7 installation and some outdated contributed modules on the server.
I have tested and can confirm this infection is not in the Drupal database because clearing the database does not fix the infection.
I can see the infection is somewhere in Drupal core as overwriting Drupal core removes the infection, i.e. those hidden links.
However, it is important to note that I have actually updated some of my infected Drupal sites only a few weeks ago. Obviously, Drupal core get infected shortly after update as the malicious php file was not removed.
In one of my sites, I am using custom theme, replacing Drupal core did not remove those hidden links. In the custom theme I was using, the hidden links are found in /themes/page.tpl.php
If you experienced similar hack/infection on your Drupal site, make sure you remove all malicious php file or else the hidden links will surely come back..
This is a good learning experience for me and it shows the importance to update your Drupal core and contributed modules.
My experience shows that Ignoring the red warning messages and leaving not maintained Drupal sites on your public server is not a good idea at all....
If you have any comments on this topic, I would be interested to hear from you. Please comment on this thread.
Chun Ming (Eric) Wong
Managing Director
Drupal/Ubercart based Live parcel tracking system by Portable Electronics Ltd
sigh... the infection came
sigh... the infection came back somehow.
Further investigation shows this file, page.tpl.php from all themes folder are infected with the link.
And all the page.tpl.php files are set to 755 permission instead of 644.
This means replacing infected files is not sufficient, file permission for replaced file must also be re-configured.
Update: looks like I miss one malicious php file...
Chun Ming (Eric) Wong
Managing Director
Drupal/Ubercart based Live parcel tracking system by Portable Electronics Ltd
The files I've found
Remove the injected files.
cd /var/www/html/includes
find . -mtime tid -type f -exec rm {} \;
Where tid is the date you where infected
Manually remove the directories
Delete the inserted text links in:
/var/www/html/themes/anytheme/maintenance-page.tpl.php
/var/www/html/themes/anytheme/page.tpl.php
/var/www/html/themes/anytheme/template.php
/var/www/html/themes/anytheme/templates/maintenance-page.tpl.php
/var/www/html/themes/anytheme/templates/page.tpl.php
/var/www/html/sites/all/themes/anytheme/page.tpl.php
/var/www/html/ites/all/themes/anytheme/html.tpl.php
/var/www/html/sites/all/themes/anytheme/templates/maintenance-page.tpl.php
/var/www/html/sites/all/themes/anytheme/templates/page.tpl.php
/var/www/html/sites/all/themes/anytheme/templates/html.tpl.php
and so forth.
BUT the files are injected and the question is how, just as you said your self?????
Possible cause?
Noumerous entries like those at the infection time:
5.45.64.205 - - [29/Aug/2014:13:41:02 +0200] "GET /includes/cfgdatald7pgc4.php HTTP/1.1" 200 40844 "-" "Mozilla/6.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/201001010111 Firefox/16.0"
5.45.64.205 - - [29/Aug/2014:13:41:04 +0200] "POST /includes/cfgdatald7pgc4.php HTTP/1.1" 200 41477 "-" "Mozilla/6.0 (Macintosh; Intel Mac OS X 10.6; rv:16.0) Gecko/201001010111 Firefox/16.0"