Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
By gutarim on
Hello all!
I have a suspicious javascript before closing html tag:
<script type="text/javascript">/* <![CDATA[ */(function(d,s,a,i,j,r,l,m,t){try{l=d.getElementsByTagName('a');t=d.createElement('textarea');for(i=0;l.length-i;i++){try{a=l[i].href;s=a.indexOf('/cdn-cgi/l/email-protection');m=a.length;if(a&&s>-1&&m>28){j=28+s;s='';if(j<m){r='0x'+a.substr(j,2)|0;for(j+=2;j<m&&a.charAt(j)!='X';j+=2)s+='%'+('0'+('0x'+a.substr(j,2)^r).toString(16)).slice(-2);j++;s=decodeURIComponent(s)+a.substr(j,m-j)}t.innerHTML=s.replace(/</g,'<').replace(/>/g,'>');l[i].href='mailto:'+t.value}}catch(e){}}}catch(e){}})(document);/* ]]> */</script>
I guess, I am hacked. What should I do now? I am using Drupal 7.43
Thanks
Comments
If you have a recent enough
If you have a recent enough backup of both your files and database (that is also from before the site was compromised), then it is easy. Test your backup, delete everything, install the backup.
If you can't use the backup, use as much as you can, e.g. a current database backup with the files directory of an older backup, then get current versions of Drupal and the modules.
If you don't have a usable backup at all, you can attempt to remove all malicious code after closing all holes. Since malicious code can be anywhere and everywhere (in files and database), this is not a preferred approach. But if you want to so it, there are modules that compare all files in the codebase with what can be downloaded from drupal.org. Hacked! is one of these modules.
Thank you for answer!
Thank you for answer!
It is Cloudflare hiding mailto links.
This code is present only on pages containing text with mailto links.
Spent hours on figuring this out by restoring all backups and checking all files.
I hope it saves you time if you find this code on your pages.