Hey there,
I setup a Drupal site for a friend a while ago. This past weekend the site went down and the reason is that the entire database was completely deleted. I've had very little to do with the site since setting it up, but now I'm trying to figure out what happened.
The hosting company has pretty pitiful logs, but I've found a couple of suspicious entries. The most suspicious is that right before the site was first reported down, someone accesses /includes/database.mysql.inc There's no referrer for this request. The same IP also accessed the /webform url many times the previous day, and also either tried to or did edit a couple of nodes.
I can't for the life of me figure out any reason or way that one of the legit users of the site would access /includes/database.mysql.inc . Is that the source of any known vulnerability? There were very few registered Drupal users for the site, but it saw decent public traffic. The legit registered users knew how to add and edit nodes, but not really a whole lot more that that.
The reason that this is so important is that it was a campaign website and this happened a few days before the election. If we really were hacked then we'll probably need to get some authorities involved somehow, but I need to figure out what really happened first. Could it have been an accident by an authorized user? Is the webform module susceptible to SQL injection attacks?
Still on Drupal 7? Security support for Drupal 7 ended on 5 January 2025. Please visit our Drupal 7 End of Life resources page to review all of your options.
