Cron executed from another location

do you have the exact php code?

Fatal error: Class 'Drupal' not found in /srv/www/htdocs/sites/all/modules/custom/...

I am running Drupal 7.39...

if I try the code to get my current cron.key I do get it back.

define('DRUPAL_ROOT', getcwd());

include_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

dpm(variable_get('cron_key', 'drupal'));
}

I also (since the issue) updated my key to a different one.

No, I understand that if the site does not run, cron will not run (I mean the drupal cron, as the service on the linux server will). I never run cron using the url unless I am testing something.

Now, What I do not understand is why on that cron run, it was picked up as the location of that other server. This is (I assume) what caused my code inside the hook_cron() to initialize the variable as the site in china ($base_root). This should not happen, even if I run cron using the url. And, even if they have my cron key (which I don't think is what happened), all they could do is run CRON until DOS... But how did they get to run cron as if it run on another server I have no idea...

Not into the logs.

here is some of the code from my hook_cron:

global $base_root;
 $query = new EntityFieldQuery();
  $query
    ->entityCondition('entity_type', 'test', '=')
    ->propertyCondition('status', '0', '=');
  $result = $query->execute();
 if(!isset($result['test'])) return;

 foreach($result['test'] as $record) {
....
 if($ent[$id]->email_notify == 1 ) {
      $user = user_load($ent[$id]->uid);
      custom_mod_dataupload_drupal_mail($from = 'myemail@dd.com',$user->mail , 'Your TEST has finished processing',
      "<html><head></head><body>Hi ".$user->name ."<br/> <p>Your TEST has finished Processing. Visit ".$base_root."/?q=mri/".$id. " to view it </p> <br/>Thanks</body></html>");

     }
}

I have a custom entity which I query, and based on certain conditions I send an email to certain users.
They were able to insert a url at that level. The expected value of $base_root is the url of the server where the code is located. They were able to fake that....

I have checked my site since then, Downloaded the hacked module, ran drush drupalgeddon, checked the database, but could not find anything on my code which will cause that behaviour. I also have this on the logs from about the same time:

I am running drupal 7.39 (not 8) The links you sent seem to apply to Drupal 8. I have no "Trusted host configuration" in default.settings.php. What can I do to protect my drupal 7 installation?

I do believe this is exactly what is happening.

Is this an issue with apache or drupal? or a confuguration problem?

Thanks, I will keep an eye after I make these changes to see if they don't happen again.

Thanks, that was really helpful.