Hello everyone,

I just wanted to post something I came upon today. It's in regards to a user that carries out the following:

Well, as the title states , this person carries out Website defacement. So why am I posting it here? It seems that many of the sites targeted are Drupal sites.

You can see here all the sites that have been targeted: http://zone-h.org/archive/notifier=w4l3XzY3?zh=1
Facebook page: https://www.facebook.com/pages/W4l3XzY3/291609454215219
Twitter: https://twitter.com/w4l3xzy3

The modus operandi is to mark the website after hacking it. The mark is a text file with "w.txt", in your httpdocs directory.

It seems the hack is not only that, but user gains admin access, probably carries out spamming of email through your sites email server, etc. If your site has that "w.txt" file, remove any file that is not supposed to be in httpdocs, and check for any .php files in /sites or any public directory. Please, check using ssh or ftp, don´t be a brute and try to check if the files exists through your browser, or you will cause its execution and who knows what that will do.

Hope this helps anyone.

Comments

VM’s picture

please edit the post and move it to the 'post installation' forum.

Also of note, stating the version of Drupal in use would aid. If it's pre 7.32 then the issue is already widely discussed.

Anonymous’s picture

Oh I know it's been widely talked about, but I still thought anyone who hasn't patched or who thinks they are safe could at least check out if their site has the "w.txt" graffiti.