I get message from my server host owner that my site is hacked and they had to close it. Now I should find the suspicious file with ftp but I don't find any. I have checked theme- and modules-files and no one is created or modified in last 3 month.

Can there be hidden files? Or how I can find where is the problem?

I have to tell that one reason that it was possible to hacked my site was I haven't updated my drupal for a while :/ Version is 7.21.

Problem is also that I haven't done my site. Theme is custom. I can't contact to developers and ask originall files. And of course I don't have good back ups..

Comments

nevets’s picture

Did they say why/how they think you were hacked?

wpk’s picture

No. Only message was that I should repair my corrupt php-files and remove all wrong files. So I don't have any idea which files I should check and remove.

wpk’s picture

Now I got message hacked file is includes/bootstrap.inc

Is it possible only replace core folder/files?

VM’s picture

yes. Though if any existing backdoors aren't taken care of the site will be hacked again regardless of updating the site to 7.41 and forward.

VM’s picture

A site running a version of Drupal below 7.32 beyond October 2014 was left open to the most significant security issue ever found in Drupal core. https://www.drupal.org/drupalsa05FAQ

I suggest a rebuild of the site. Replacing files won't be good enough as there are likely backdoors in your database. however, if you want to try and correct the issues manually there are many threads to read through and advice within them to react to.