By Mark Gibson on

I have been asked to support an old version of drupal 4.7.4 which has been infected with JS:Redirector-G

I have downloaded the site and run TextCrawler which identified 17 infected files

I’ve removed the code and write protected the files in case it was a SQL injection attack. If it is an FTP based attack that won’t prevent it happening again but at least I can identify the files and rectify it quickly now. Once this has been fixed I'll upgrade but I need to find the problem first.

The problem is that the code is still showing up in the browser right after the tag and I need to find where this is in the code or database

These are some of the corrected files, I have checked that they are still uninfected:
\misc\autocomplete.js
\misc\collapse.js
\misc\drupal.js
\misc\progress.js
\misc\textarea.js
\misc\update.js
\misc\upload.js
\modules\epublish\epublish.js
\modules\event\event.js
\modules\img_assist\img_assist.js
\modules\img_assist\img_assist_textarea.js
\modules\img_assist\img_assist_tinymce.js
\files\videos\edit_dates\flashobject.js
\modules\img_assist\drupalimage\editor_plugin.js
\modules\img_assist\drupalimage\editor_plugin_src.js
Index.php
\Sites\default\settings.php

Can anyone tell me how the page is generated and where this could be coming from? It has been inserted between the end of the and the start of the tags

Thanks

M

Categories: Drupal 4.7.x

Comments

sada.lala’s picture

sada.lala commented

This is happening with new installation of latest 5x drupal as well as other pages/scripts.
For some pages/scripts cleaning the index files ( index php, index.html) etc corrects
the thing but in drupal apparently it still persists even after cleaning index files or freshly uploading js files.

This issue is reported in avast forums also ( do a google search on JS:Redirector-G )

The hosts say they have no other cgi, files etc that can cause this and apprently
checking the web directory gives no suspicious file.

How can an internal search be made on the drupal files - downloading and searching by windows search do not show the malacious code.

What are the possible files that can give rise to the code when the page is generated?
Some one please help as this is causing av of many legit users problem in visiting the sites.