Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By joeharth on
Hello I am getting some php files on my drupal that send email. This is only happening in one of the installations. I delete the files with clamav and new files with viruses come back. I am running Drupal 7 and it is completely up to date. When I look in the logs I see only one entry with the file name that is infected
somehost - - [11/Apr/2015:20:04:22 -0400] "POST /modules/views/help/general71.php HTTP/1.0" 200 96
/home/htdocs/mydrupal/modules/views/help/general71.php: PHP.Trojan.Mailer-1 FOUND
Could this be a folder persmission problem ? I have a ctools module and a views plugin and I keep getting the virus on those folders. Any suggestions on how to fix this?
Comments
I would change the server,
I would change the server, ftp and Drupal admin passwords to make sure they are not the source of the problem.
https://www.drupal.org/node
https://www.drupal.org/node/643758
You can move the thread by editing the original post and choosing 'Post Installation' as the forum.
Thank you.
Trojan mailer php insertion Drupal 7
We've had the same issue 3 times this past week. I traced the recurrence to 14 (!!!!) infected files inserted into the site back in Oct and Nov 2014 -- ie, peak Drupageddon. Which I thought I had fixed back in December.
I fluked into a way to find those 14 missed files: Go to your server and zip the /sites folder. Download to a Windows machine. Don't unzip. Right click on the archive and run your virus checker ( for me, it is Avast). For me, it showed the 14 files and their location. Most were placed in various module sub folders, with names such as admin.php. The file date is usually quite different from the module's own files, so delete the misfit.
The real shocker was to find the few lines of malicious code in the node.tpl.php file in my subtheme folder. Ie, a crucial page generation file. It is possible to edit out those lines. Or find a clean copy from the base theme folder and install.
Something I'm still investigating: it looks like when the original hack was done, the sub theme folder got re-arranged -- it now contains all the template folder files from the base theme folder. Which is possible, for override purposes, but I don't think I did that.
After the cleanup, I again zipped the / sites folder and Avast reported it clean. Probably a good idea to run another virus checker, too, as one may miss things. The Trojan found was PHP Backdoor.