Hello all!
I have a suspicious javascript before closing html tag:

<script type="text/javascript">/* <![CDATA[ */(function(d,s,a,i,j,r,l,m,t){try{l=d.getElementsByTagName('a');t=d.createElement('textarea');for(i=0;l.length-i;i++){try{a=l[i].href;s=a.indexOf('/cdn-cgi/l/email-protection');m=a.length;if(a&&s>-1&&m>28){j=28+s;s='';if(j<m){r='0x'+a.substr(j,2)|0;for(j+=2;j<m&&a.charAt(j)!='X';j+=2)s+='%'+('0'+('0x'+a.substr(j,2)^r).toString(16)).slice(-2);j++;s=decodeURIComponent(s)+a.substr(j,m-j)}t.innerHTML=s.replace(/</g,'&lt;').replace(/>/g,'&gt;');l[i].href='mailto:'+t.value}}catch(e){}}}catch(e){}})(document);/* ]]> */</script>

I guess, I am hacked. What should I do now? I am using Drupal 7.43
Thanks

Comments

steeph’s picture

If you have a recent enough backup of both your files and database (that is also from before the site was compromised), then it is easy. Test your backup, delete everything, install the backup.

If you can't use the backup, use as much as you can, e.g. a current database backup with the files directory of an older backup, then get current versions of Drupal and the modules.

If you don't have a usable backup at all, you can attempt to remove all malicious code after closing all holes. Since malicious code can be anywhere and everywhere (in files and database), this is not a preferred approach. But if you want to so it, there are modules that compare all files in the codebase with what can be downloaded from drupal.org. Hacked! is one of these modules.

gutarim’s picture

Thank you for answer!

It is Cloudflare hiding mailto links.
This code is present only on pages containing text with mailto links.
Spent hours on figuring this out by restoring all backups and checking all files.
I hope it saves you time if you find this code on your pages.