Fixing Hacked Drupal Website & Malware Removal Guide.

Drupal is one of the oldest & most secure CMS among the popular ones used today. It is built upon PHP and powered by the open-source community. With its 2,500+ themes and 39,000+ modules, Drupal caters to over a million websites. However, multiple vulnerabilities were uncovered in Drupal this year. Much like a series of RCE vulnerabilities dubbed as Drupalgeddon. This has resulted in multiple hacked installations of Drupal within a few months, most of which were used to mine cryptocurrency. However, Drupal’s security team was quick enough to release necessary patch updates. According to the book Cracking Drupal: A Drop in the Bucket,

Sadly, the reality is that you cannot simply rely on other Drupal users to keep the code safe. A surprising number of websites are configured insecurely. A similarly surprising number of contributed or custom modules and themes contain logical or programmatic vulnerabilities. You must pay attention if you are going to keep your site safe.

Drupal Hacked: Possible Outcomes of Drupal Hack

  • Phishing pages designed to steal sensitive info appear on the website.
  • Customers complain about malicious redirects.
  • Sensitive info like login, banking details etc up for sale on darknet.
  • Gibberish content appears on site due to Japanese Keyword Hack or Pharma Hack etc.
  • Your account has been suspended!’ message appears while logging in.
  • The Drupal site gets blacklisted by search engines.
  • The Drupal website becomes very slow & shows error messages.
  • Multiple malicious ads & Pop-ups appear on the site.
  • Users refrain from visiting the site due to a lack of trust.
  • A Decline in user traffic and revenue.
  • New, Rogue admins appear in the login database.

Drupal Hacked: Examples of Drupal Hack

When Drupal sites are hacked, affected users can be found taking help from the community forums. One such example of hacked Drupal is given in the image below.

drupal hacked example

Worried about Drupal hacked site? Drop us a message on the chat widget and we’d be happy to help you fix it. Secure my Drupal website now.

Drupal Hacked: Possible Causes of Drupal Hack

Drupal Hacked: Drupal SQL Injection

Drupal SQLi vulnerabilities can be often found within poorly coded modules. However, an SQLi within the core is pretty rare and dangerous. Such a dangerous flaw was once found within the Drupal core and was termed as ‘Drupalgeddon‘, although Drupal used PDO (PHP Data Object) to separate between a static SQL request and the dynamic values.

$query = $db->prepare(“SELECT * FROM users WHERE user = :user AND password = :password”);
$account = $query->execute(array(‘:user’ => $_POST[‘user’], ‘:password’ => $_POST[‘password’]));

Everything seems fine as the input is properly sanitized before reaching the database. However, the bone of contention lied within Drupal’s placeholder arrays. These were aimed towards giving flexibility to module developers, as these allowed database queries structure to be altered dynamically.

db_query(“SELECT * FROM {node} WHERE nid IN (:nids)”, array(‘:nids’ => array(13, 42, 144)));

Thereafter, the :nids placeholder would match the number of provided arguments. Like this:

SELECT * FROM {node} WHERE nid IN (:nids_0, :nids_1, :nids_2)

This feature combined with PHP indexed arrays could be used to pass parameters such as (GET, POST and cookies). Drupal placeholder arrays would by default assume the $_POST['user'] parameter to be an array. Thereafter, it would use the raw array string indexes to generate the new placeholder names. As a result, the attacker can supply malicious values like Parameter: user[0 #], Value:foo. The, resulting query would be:

SELECT * FROM {users} WHERE user = :user_0 #

Thereby the attacker successfully bypasses login authentication. Moreover, the attacker can even create new users by editing the parameter as user[0; INSERT INTO users VALUES ‘MalUser’, ‘Passw0rd!’, ‘Administrators’; #]. It was a highly critical flaw as it affected Drupal’s core. What is more alarming is that a Metasploit module was also released to exploit this!

Drupal Hacked: Drupal Access Bypass

A Drupal access bypass can result in users accessing the resources not intended for them. The latest such vulnerability has been dubbed as SA-CONTRIB-2018-081. The cause for this is a Drupal module named JSON:API module 8.x-1.x for Drupal 8.x. It is primarily used for:

  • Accessing Drupal content and configuration entities.
  • Manipulating Drupal content and configuration entities.

In this case, it doesn’t carefully check for permissions while responding to certain requests. This can allow malicious actors with insufficient permission to obtain sensitive info. As a result, only the GET requests can be used for this kind of attack.

Drupal Hacked: Drupal Cross-Site Scripting

Vulnerabilities like XSS and SQLi are fairly common in Drupal modules. The latest one in this series is SA-CONTRIB-2018-080. The E-Sign module was found to be vulnerable to XSS. E-Sign module basically allows integrating Signature Pad into Drupal. At the time of writing this article, around 875 sites were using this module. The vulnerability arose due to a lack of input sanitization when a signature is displayed. Thereby, the attacker can test for XSS using the code <script>alert(‘XSS Found!’)</script>. The vulnerable signature field would then spit out the message “XSS Found!”. This vulnerability can be then used by the attacker to:

  • Steal user cookies.
  • Redirect users.
  • Download malware on the end user’s device while visiting the Drupal site.

Drupal Hacked: Drupal Remote Code Execution

Drupal security has been haunted by a series of Drupalgeddon bugs. Drupalgeddon 3 is the latest one found this year. This allows unauthenticated users to run code on the Drupal sites. Although Drupalgeddon 2 also allowed RCE. However, to exploit this, the attacker needed the ability to delete a node. The complete URL looked something like this:

POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1 […] form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]

Here, on the pretext of deleting a node, the attacker injected the whoami command. The second line of code is to check for CSRF token. A CSRF token basically checks if the request has been generated on the same server. Thereafter, the attacker retrieves the form_build_id from the response as seen in the code below:

POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1 […] form_build_id=[FORM_BUILD_ID]

This finally triggers the exploit and the output of Whoami command is displayed. Therefore, the attacker can execute all kinds of commands to manipulate the server. What makes this RCE bug more severe is that exploit for this has already been released!

Need professional help to clean Drupal hacked site? Drop us a message on the chat widget and we’d be happy to help you. Fix my Drupal website now.

Cleaning Hacked Drupal Website

Drupal Security: Block out Attackers

Firstly ensure that no login credentials are default or hard coded. If so, change them to secure random passwords. Thereafter, begin by securing the database of the site. Look out for rogue users in the admin table. Moreover, update the user passwords to lock out all the attackers. This can be done using the command: update users set pass = concat(‘ZZZ’, sha(concat(pass, md5(rand()))));

The menu_router of Drupal is a ripe target for the attackers to inject code. Make a copy and then compare it to a version of the menu_router table. In case some new rows, missing rows, or rows with gibberish content is detected, proceed to evaluate the contents. Common signatures of an attack such as “file_put_contents” or “assert” can be found within the access callback.

Next, block access to sensitive folders. This can be done by creating a .htaccess file inside them. Within that file insert the following code:

Order Deny,Allow
Deny from all
Allow from

This snippet of code would deny access to the visitors of those particular folders. Here, the last line of code specifies which IPs to allow. Also look inside modified .htaccess files too. In case any such file is found make it a priority to clean it first.

Drupal Security: Find Infected Files

Now start looking for Drupal hacked files infected with malware. Some common ones include:

  • Index.php
  • .htaccess
  • web.config
  • Themes Folder
  • Modules Folder

Most of the time, attackers tend to obfuscate the code in a format unreadable to humans. Base64 format is very popular among the attackers. To check for base64 code run the command:

find . -name "*.php" -exec grep "base64"'{}'; -print &> hiddencode.txt

This snippet of code would scan for base64 encoded code and save it inside hiddencode.txt. This can be then decoded using online tools for further analysis. Moreover, in case of spam attacks when gibberish is injected into every Drupal hacked page, tools like phpMyAdmin can come handy. It can be used to search for malicious code within multiple pages in one go.

Drupal Hacked phpMyadmin cleanup
Search for malicious code using phpMyAdmin within pages

Drupal Security: Restoring Files

After, the malicious code is detected, remove it from the Drupal hacked pages. If you are unsure about any code, comment it out and contact the experts. Restore the pages from a backup. If the backup is unavailable then use a fresh copy. After the files are cleaned then clear your cache using the following command:  drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7).

Drupal Hacked Mitigation

Update and Backup

Ensure that you are using the latest version of Drupal. The Drupal security team updates critical flaws with each new update. This can be verified using the changelog. Moreover, avoid using unreputed plugins as they are likely to contain buggy code. Make sure to create a copy of the site. This could come in handy to restore the site after an attack. Updates and backups are the cheapest and most effective methods to securing a Drupal site.

Security Audit

A security audit can reveal critical loopholes within the Drupal site. Not all web admins can be an expert in security. Therefore services like Astra can take care of security for the web admins. Astra security audit and pen-tensting can responsibly disclose severe threats on the site. This can allow web admins to take precautionary measures to prevent hacked Drupal sites. The Astra security audit simulates real-time attacks within a secure environment so that no harm is done to the site and at the same time, critical vulnerabilities can be found. Security audits like Astra’s can find common vulnerabilities like OWASP Top 10 within the Drupal site.

Drupal Malware Scanner and Firewall

New vulnerabilities are uncovered in Drupal each month. However, this doesn’t imply that Drupal sites will remain insecure. A firewall can prevent attackers from exploiting these flaws even if the Drupal site is vulnerable. However, it is important to choose the right firewall out of the multiple available ones on the market. Astra firewall is the one that stands out on all the parameters. It is highly robust and scalable. This means, be it small blogs or large e-commerce sites, Astra can secure them all. Moreover, Astra can honeypot the attackers and block common attacks.

Cleaning and fixing Drupal hacked sites is a laborious task. However, automation can come to the rescue. The Astra Drupal malware scanner can detect and remove malware from hacked sites within minutes. Moreover, it can patch the files automatically for the user.

Get a demo now!

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

A computer nerd. Loves working with Sqlmap and BeEF (the software) ;) Has experience in wireless pen tests. Owns a chatbot on Pandorabots named Mark1. In free time he can be found saving some goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.