Basics

Attacks can happen in a variety of ways. Even if the only web application running on your server is Drupal, it's possible that the attacker used a different method of gaining access to your server to deface your site.

Rule out other attack vectors

  • May not be Drupal at all, but FTP, ssh, or other attack vectors.
  • Check if you weren't defaced directly using your FTP account. Many attacks are now coming from virus affected computers, specifically if you are using Total Commander with saved passwords. Symptoms for this type of attack: Your site now prints a "PHP Parse error: parse error" message in index.php and you find a strange <iframe> or <script> in index.php with a link to some .cn domain. Disconnect your computer from the Internet in that case, install antivirus software, perform a scan, delete all passwords from Total Commander and change all your passwords, including FTP and system accounts.
  • Check Apache's logs for suspicious activity. This might indicate a vulnerability in a web application and possibly Drupal.
  • Other applications on the server
  • Other accounts on a shared server
  • Make sure you are not running an out-of-date Drupal version
  • Check the recent security announcements for Drupal core and contributed modules. Would any of them enable the kind of attack that happened to your server?

Template of what to report to the Drupal security team

You may report the problem to the security team. However, unless you have specific information about Drupal code that is involved in the site being hacked, this report will only be used to look for common patterns that might indicate a widespread vulnerability. The Drupal Security Team is not able to provide individual support, and can not help you to recover your site.

  • Drupal version
  • List of contributed modules and their versions
  • Apache/PHP versions
  • Do you maintain your site via FTP? If not, is your site accessible using FTP?
  • Name of your hosting company
  • Permissions on the files in your Drupal directory (e.g. from ls -l in the Drupal installation directory)

Please visit http://drupal.org/support to see what your support options are if you need more assistance.