Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By paulblake on
Lately we have been getting .php.tmp files in our Drupal tmp directory (C:\Windows\Temp), and our anti-virus catches them as trojans/viruses.
The date stamp on the files correspond to log entries where foreign IP addresses are trying to access /wordpress/ paths in our drupal directory. (Which do not exist, and they get 404 errors).
I suspect the malware files are first uploaded, then are supposed to be moved/renamed and then run by the attacker by visiting the paths that are generating 404 errors. However, the files never get run because they never get copied out of the tmp folder, hence the 404 errors they get.
What confuses me is that I do not see any POST-related entries in the logs that would indicate how/where they are uploading these files to our site.
Has anyone else encountered this? I found one other forum post about it, however it did not seem to articulate HOW the files get uploaded or any resolution to stopping it. I understand there was a rotator that had security issues, but I do not think we are using that.
Our Drupal installation is running the latest updates, there is no FTP enabled, public registrations are not allowed...
Thanks in advance for any hints on how they are getting tmp files up there...
Comments
It certainly sounds like the
It certainly sounds like the site is hacked.
What version of Drupal are you running?
is everything fine in /admin/reports/status specially anything to do with files.
Is it possible the site was slow to upgrade last October 2014 for drupalgeddon https://www.drupal.org/project/drupalgeddon
Actually most drupal pages
Actually most drupal pages accept post request with files (even 404 drupal page), so it would be easy to upload file to tmp by just sending a post request with file to drupal page.
maybe
the hacker sends a post request with malware (abc.php) to user/login page first , tmp file got deleted by malware protection but drupal still return 200, then the hacker wants to see if the file uploaded and visit abc.php and got 404 error.