Today I discovered a file on my host which I couldn't recognise and contacted my host who said they didn't know what this file was for sites/all/themes/contrib/xmlwriter_end_document.php and it shows a box where password should be pasted and a button with >>. Do some one know what this could be, please?
They looked at many of my other old test sites both Drupal 6 and Drupal 7 and found these mysterious files:
Bot how can I be sure they are from a hacker and should be deleted or they are OK?
sites/all/modules/contrib/views/theme/end.php
sites/all/modules/contrib/views/modules/printf.php
sites/all/modules/contrib/kml/xmlwriter_write_element_ns.php
sites/all/modules/contrib/ctools/page_manager/js/session_register.php
sites/all/modules/contrib/ctools/images/array_walk_recursive.php
sites/all/modules/contrib/ctools/ctools_ajax_sample/strchr.php
sites/all/modules/contrib/advanced_help/ltrim.php
sites/all/modules/contrib/location/plugins/relationships/ob_get_length.php
sites/all/modules/contrib/date/theme/xmlwriter_end_dtd.php
sites/all/modules/contrib/devel/FirePHPCore/lib/is_resource.php
sites/all/modules/contrib/gmap/markers/iconv_mime_decode.php
sites/all/modules/contrib/gmap/markers/zend_logo_guid.php
sites/all/themes/contrib/tao/drupal/opendir.php
modules/statistics/get_class_methods.php
modules/syslog/quotemeta.php
modules/php/stream_get_transports.php
misc/constant.php
NOT Drupal
div/xmlwriter_write_pi.php
div/import_request_variables.php
div/bcpow.php
div/fprintf.php
div/s2g9b8.php
div/com_load_typelib.php
div/setlocale.php
div/xml_parser_free.php
div/json_decode.php
div/register_shutdown_function.php
div/xml_parser_create_ns.php
div/key.php
div/is_object.php
div/dj73eb.php
div/getservbyport.php
div/register_tick_function.php
div/tan.php
div/simplexml_import_dom.php
div/abs.php
div/rename.php
NEW_storelocator_v3_tutorial/strpos.php
NEW_storelocator_v3_tutorial/chr.php
NEW_storelocator_v3_tutorial/array_udiff_uassoc.php
NEW_storelocator_v3_tutorial/g0vpnug.php
NEW_storelocator_v3_tutorial/xmlwriter_end_attribute.php
NEW_storelocator_v3_tutorial/get_class.php
NEW_storelocator_v3_tutorial/hash_algos.php
NEW_storelocator_v3_tutorial/stream_wrapper_register.php
NEW_storelocator_v3_tutorial/cc5ul.php
NEW_storelocator_v3_tutorial/decoct.php
storelocator_v3_tutorial/in_array.php
storelocator_v3_tutorial/rawurlencode.php
storelocator_v3_tutorial/odbc_data_source.php
storelocator_v3_tutorial/str_shuffle.php
storelocator_v3_tutorial/fileinode.php
storelocator_v3_tutorial/stream_set_write_buffer.php
storelocator_v3_tutorial/gzencode.php
storelocator_v3_tutorial/token_get_all.php
storelocator_v3_tutorial/number_format.php
profiles/u9krgfm.php
profiles/xmlwriter_open_memory.php
sites/all/modules/views/css/iconv_strpos.php
sites/all/modules/views/css/ftruncate.php
sites/all/modules/cck/modules/optionwidgets/rsort.php
sites/all/modules/cck/translations/help/de/gzclose.php
sites/all/modules/location/handlers/basename.php
sites/all/modules/admin_menu/deg2rad.php
sites/all/modules/admin_menu/tests/getmyuid.php
sites/all/modules/admin_menu/date_modify.php
sites/all/modules/gmap/markers/small/fclose.php
sites/all/modules/gmap/markers/small/atan.php
sites/all/modules/gmap/tests/array_udiff.php
sites/all/modules/custom_links/ftp_delete.php
modules/statistics/chgrp.php
modules/search/pathinfo.php
themes/chameleon/chmod.php
misc/farbtastic/strtoupper.php
scripts/r9595p.php
profiles/dea5xlo.php
sites/all/modules/cck/modules/nodereference/translations/stream_set_timeout.php
sites/all/modules/cck/modules/content_copy/translations/session_module_name.php
sites/all/modules/cck/modules/content_permissions/filter_input_array.php
sites/all/modules/rules/getmyinode.php
sites/all/modules/node_import/supported/filefield/fseek.php
sites/all/modules/services/auth/is_double.php
sites/all/modules/services/services/user_service/debug_zval_dump.php
sites/all/modules/advanced_help/translations/array_uintersect_uassoc.php
sites/all/modules/devel/ini_get.php
sites/all/modules/user_force_term/basename.php
sites/all/modules/conditional_styles/translations/usort.php
modules/upload/readdir.php
modules/aggregator/array_diff.php
modules/views_bonus/paged_feed/ereg_replace.php
modules/php/readgzfile.php
themes/garland/assert_options.php
themes/chameleon/marvin/odbc_tableprivileges.php
scripts/yyj9e7.php
And a lot of other sites and files which I will not show now.
Mvh
Tine
Comments
=-=
most if not all of them aren't drupal files. You can verify by downloading new copies of the modules and themes and comparing the contents.
That said if files are being generated on your server account you need to find out how that is occurring and close that security hole. Else when you delete the files they will likely be back again shortly after deletion. The apache logs should be helpful in determining when those files were placed there. The files dates and times should be helpful in filtering the logs.
Thanks a lot for trying to
Thanks a lot for trying to help.
I have found out that all these stranged files both online and offline includes "$default_action = 'FilesMan';" and my virussoftware ring if I try to send one of these files attached to my shared host. I'm not sure what the hacker gets out of using this files, anyone?
But how do I get ALL these solved so I can be sure all infected files are deleted. My host say that these logs doesn't tell anything about how to stop these hackers but what do the Drupal community do when these things happends to their users? Is there a tutorial step-by-step to get ALL these solved so I can do it myself and know and learn what to do the next time, please?
=-=
all files can be deleted and your drupal files replaced with new downloads. You still have to figure out how your server was hacked else it is likely you will be hacked again. If your host is saying that the logs won't help you need to switch hosts. Logs can aid in better understanding how and when your server account was accessed. The time stamps on the current files should aid them in narrowing down where to look in the logs.
I have looked in many of the
I have looked in many of the Access-log from my host and used AVAST and FlashFXP to look in these sites and they all include "$default_action = 'FilesMan';" and a lot of strange code and they all come from a special ip-address.
One other file which I think he maybe use is in sites/all/modules/contrib/ctools/ctools_plugin_example/plugins/hebrev.php and looks like this:
Could this be the hacker that made this?
Happy Christmas. :-)
=-=
if the file isn't included in the module in question I would consider the file unsafe. To verifiy files includes in modules you can download a new copy of the module.
What do these hackers gain placing all these php-files
It should NOT be there.
What do these hackers gain placing all these php-files on peoples domains?
This include http://www.unphp.net/decode/a2777f8adfdd2d44d738f6baf24c525a/ the same as some of my hackers files and until now they all come from this hacker http://www.abuseipdb.com/report-history/95.211.22.216. Ask'ed my shared host to search for this idiot and ip but are still waiting for an answer. People are enjoying Christmas I think but not me are can't relax before all this is solved. :-(
=-=
depends on what the files do when run.
depends on what the files do
Yes but I don't think I ever can figure this out but I keep on struggling for finding a solution on all this.
I have read tons of threads on Google Drupal sites hacked and have found this great module https://drupal.org/project/security_review. After running this on my sites I found "some files and directories in your install are writeable by the server"
Edited 5.1.2013, 14:02: I see that IGNOREME.txt does NOT have a timestamp so maybe all is OK then?
and a LOT of files are showed. .htaccess file are 644. Contacted my host and they said I didn't need to change anything here but don't know?
"Unsafe file extensions are allowed in uploads". Looks like the hacker has given access to php-files which may be the reason he could upload all these php-files but don't know. Have of course changed this now.
And a couple of more warnings which I still have to study.
=-=
I received your email (please don't contact me for personal support). I'm not sure what else I can help with here.
OK, sorry.
OK, sorry.
1. Edited 5.1.2013, 14:02: I see that IGNOREME.txt does NOT have a timestamp so maybe all is OK then?
2. and a LOT of files are showed. .htaccess file are 644. Contacted my host and they said I didn't need to change anything here but don't know?
3. Does Drupal have something like a WIKI page where they tell about all the things people should do to clean up their sites after a hacker and about what these hackers gain out of doing this and what the different kind of attacks are called and what they do to your sites?
=-=
1. I can't answer. I've never used the security review module.
2. To better understand file permissions in Octal modes see: http://en.wikipedia.org/wiki/Chmod
3. No. A comprehensive wiki would be difficult to maintain and most aren't drupal specific. At this point, no one can be sure what happened to your site is Drupal specific either as there isn't enough information about how the site/server was accessed. What hackers can gain can be researched on the interwebs as well as what different types of attacks there are.
New login/password, database, FTP - how to remember best?
How do people remember ALL these info and where do they keep this info so hacker do not get them? If you don't want to post it here please send me a direct mail, thanks.
=-=
good old fashioned pencil and paper. However a password is only as strong as the user makes it. Avoid dictionary words, numeric strings like birthdays and so on.
Also note that you should use
Also note that you should use SFTP (FTP over SSH) if possible, rather than FTP, as FTP itself is an insecure protocol.
Logfiles after hacker visit
I have now used days to clean up in 2 logfiles from 2 different days from one of the hacked site and from the hackers ip address and it looks like this:
http://tinemuller.dk/div/drupal6_hacked_30.10_2013_site_1.html
http://tinemuller.dk/div/drupal6_hacked_31.10_2013_site_1.html
Does this tell you anything, please?
=-=
tells you that someone or something is trying to access the files from 95.211.22.216
you should consider blocking the IP trying to access