This is my first post. My drupal site has been hacked and i have a index.php in the drupal folder coming out with the following content

BY iSKORPiTX
(TURKISH HACKER)
ALEMiN KRALI
best regards to all world

Now all other folders seem intact. I have lost cpanel at the moment and using ftp to check folders and modified files. is there a way to restore the original index.php. if not whats the best way to retrieve the site as it is?

Cheers,
pracas

Comments

yelvington’s picture

First, you should work with your hosting company to secure the server.

All of your content is stored in the database, so there's no reason you can't replace the Drupal files with a fresh copy. But get your server secured first. That's the source of your problem.

RonB’s picture

I was also hacked yesterday. Uploading a fresh copy of the index.php file from the version you're running (6.19 in my case) seems to fix everything again. My CPanel didn't seem to want to replace the file, but it let me delete it before uploading a fresh copy. While the prank seems childish, it points out the need for caution and tighter security.

pracasrv’s picture

ok... Now my hosting provider has been attacked on the whole and their support pages throw up the same hacked message as well however they seem to be restoring. So replacing the index.php is all that is required? I've been having this site for a year and half now and have modified and installed many plugins. And how does one find the exact version of drupal without cpanel? - i know this is silly but i can't remember which one it is excepting that it is drupal6 and i dont have any copied on my local machine as i had used fantastico. errr... i hate the hackers... and there was nothing even remotely challenging about hacking my site!

ryivhnn’s picture

View changelog.txt, the top entry will tell you what version of Drupal it is. If you still can't get your cpanel use ftp, seeig as that's not relying on pages and scripts to be working (just the server to recognise your username and password and let you look at and transfer files) you should be able to connect that way.

works at bekandloz | plays at technonaturalist

ryivhnn’s picture

Ahh the pathetic luser didn't just run his lame scripts on two (of my more than two) Drupal sites. How unfortunate. Use ftp rather than cpanel to reupload the index.php (or the entire Drupal core and replace your /sites folder with a backup if you're feeling particularly paranoid), that should connect if cpanel isn't.

I'm rather pissed off at the prat actually, kept me up half an hour later than I wanted to be as I was working on one of the sites and had to wait before finding out there was a problem, applying the two second fix and then only getting part of what I wanted to do done as I was tired and wanted to go to bed.

works at bekandloz | plays at technonaturalist

pracasrv’s picture

Ok. I've now managed to replace the index.php file and got the site back up. If i update drupal now, will it fix any missing files / links / other things that were broken while keeping the contents intact?

Codeblind’s picture

What you're probably experiencing is a server-wide privilege escalation leveraged attack. The gist of that is when someone gets a script to run as root or some other highly privileged user and uses it to overwrite or alter files with something it likes better. Typically they go after all index files on all the accounts on the server, so fixing your index file is often enough to undo the damage. But it can't hurt to reinstall and/or update core and all your modules if you're concerned about it. You might want to look for scripts hiding out here and there. I think Drupal creates htacces files that disable script execution in your files directory, but if they can overwrite your index file, they can overwrite your htaccess file.

And, of course, if your host hasn't fixed whatever hole the attackers used, they may run the attack again and you'll have to start all over.

Anonymous’s picture

I had a client recently whose host was compromised in this manner. In fact, it was the same exact text.

What the script basically did was add various "home" files to each user's web root.

Just to be safe, I reinstalled core and all of their modules. I also checked the database to make sure it wasn't compromised in some way and changed the DB password just in case it was read from settings.php.

Their host admitted shortly after it was brought to their attention that the compromise was on their end.