- May 17, 2019
- by Christopher
- Drupal Development, Web Development
Your Drupal site got hacked. Now what?
The worst case scenario has come to pass: a vulnerability somewhere allowed a malicious individual (or bot, more likely) to take over your site. The good news is: you have noticed it. Well, the bad news: You have to clean it up.
In this blog, I shall be showing you the necessary steps you need to clean your hacked drupal site, and also ways to prevent it from ever happening again.
How to know if your site has been hacked.
- Host suspended your site for malicious activity
- File modifications or Drupal core integrity issues
- Unknown files under sites/default/files
- Unexpected, slow, or abnormal site behavior
- Malicious new users in the Drupal dashboard.
- New nodes from an unauthorized user
- Spam keywords in nodes and search engine content
STEP 1: IDENTIFY THE HACK
1.1 – SCAN YOUR WEBSITE
The first thing to do is to scan your site so as to see which files or data has been corrupted by the hack. There are several online scanners and Drupal extensions can also help you look for indicators of compromise, malicious payloads, and other security issues. Tools for checking security misconfigurations in Drupal could help you identify possible attack vectors.
- Visit an online site scanner (e.g https://webscan.foregenix.com/)
- Put your website and click “SCAN NOW”
- If the site is infected, review the warning message.
- Note any vulnerabilities, blacklists, and SSl certificate warnings
If you are hosting multiple sites on your server, I recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections. See the Drupal Multisite Docs for more info.
1.2 – CHECK MODIFIED FILES
New or recently modified Drupal files may be part of a hack. Your core, contributed, and custom modules should also be checked against known good copies to identify malware injections.
The quickest way to confirm the integrity of your Drupal files is by using git status (or another version control system) to check for changes, commit any new branches, and then roll back to the last known good set of code. You can also use the Hacked! module for Drupal to get a report of any integrity issues with your core files and modules.
1.3 – AUDIT USER LOGS
Verify and remove any unknown Drupal user accounts, especially administrators.
How to check for malicious users in Drupal:
- Log into your Drupal admin interface (yoursite.com/user/login)
- Click People on the menu.
- Review the list, especially ones recently created under the Member For column.
- Remove any unfamiliar users that were created by hackers.
- Check the Last Access Time of legitimate users (may indicate compromised account).
- Confirm any users that logged in at suspicious times.
1.4 – CHECK DIAGNOSTIC PAGES
If your Drupal site has been blacklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your Drupal website. You can visit Safe Browsing Site Status to check your site transparency report.
If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website.
STEP 2: REMOVE THE HACK
The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.
2.1 – CLEAN HACKED WEBSITE FILES
If any scans or diagnostic pages revealed malicious domains or payloads, you can start by looking for those files on your Drupal web server. If you use a version control system like git, you can rollback to a known good copy, delete new suspicious files, and checkout to revert any maliciously modified files.
By comparing infected files with known good files (from official sources or reliably clean backups) you can identify and remove malicious changes.
How to manually remove a malware infection from your Drupal files:
- Log into your server via SFTP or SSH.
- Create a backup of the site files before making changes.
- Search your files for reference to malicious domains or payloads you noted.
- Identify recently changed files and confirm whether they are legitimate.
- Review files flagged during the core file integrity check.
- Restore or compare suspicious files with clean backups or official sources.
- Remove any suspicious or unfamiliar code from your custom files.
- Test to verify the site is still operational after changes.
2.2 – CLEAN HACKED DATABASE TABLES
To remove a malware infection from your Drupal database, you need to open a database admin panel, such as PHPMyAdmin. You can also use tools like Adminer.
How to manually remove a malware infection from Drupal database tables:
- Log into your database admin panel.
- Make a backup of the database before making changes.
- Search for suspicious content (i.e., spammy keywords, links).
- Open the table that contains suspicious content.
- Manually remove any suspicious content.
- Test to verify the site is still operational after changes.
- Remove any database access tools you may have uploaded.
You can manually search your Drupal database for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by Drupal extensions for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.
2.3 – REMOVE HIDDEN BACKDOORS
Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked Drupal sites.
Backdoors are usually embedded in files that are named just like legitimate files within the official Drupal framework but located in the wrong directories. Attackers can also inject backdoors into files like index.php and directories like /modules, /themes, /sites/all/modules, and /sites/all/themes.
Backdoors commonly include the following PHP functions: base64, tripslashes, eval, exec, location.href, file_get_contents, gzuncompress, move_uploaded_file, stream, e.t.c
2.4 – FIX MALWARE WARNINGS
If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed. Google is now limiting known repeat offenders to one review request every 30 days. Be sure your site is clean before requesting a review!
How to remove malware warnings from your site:
- Contact your hosting company and ask them to remove the suspension.
- You may need to provide details about how you removed the malware.
- Fill in a review request form for each blacklisting authority.
- ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.The review process can take several days.
STEP 3: POST HACK
In this step , you will learn how to prevent your site from getting hacked in the first place (As the saying “prevention is better than cure”). Not just that. You will also learn the essential steps to securing your drupal site.
3.1 – UPDATE AND RESET
Outdated software is one of the leading causes of infection, and it is important to remove any known vulnerable extensions. Though Drupal uses a secure hashing algorithm to prevent passwords from being hacked, it’s always a good idea to reset passwords to ensure you are not reinfected if hackers have access to your credentials.
1.Clear active sections: To clear active sections follow the following steps:
- Log into your database admin panel.
- Open the sessions table.
- Select Empty to remove all logs from the table.
- All users should now be logged out.
2. Reset your API keys: Your API keys in Drupal should be reset to ensure they have not been compromised by the attackers. Additionally, if your website connects to external services (such as marketing services, payment gateways, and shipping providers) it is a good idea to create new API keys created for those services.
3. Update your site drupal core and extension: Update all Drupal software including core files, themes, and modules. To update drupal software, I recommend using DRUSH.
Drupal 8.7.0 is the latest drupal version (as of the date when this blog was written). Drupal 7 continues to receive updates for some known vulnerabilities. We recommend keeping an eye on the Drupal Security page for security alerts. Users on the 6.x branch or lower are no longer receiving security patches and strongly encouraged to upgrade to 8.7.0 ASAP.
How to manually update your site Drupal core files:
- Make sure you have a recent backup of your site.
- Click Configuration on the menu under Development select Maintenance mode.
- Delete everything except for the sites folder and custom files.
- Upload the new Drupal files, taking care not to overwrite custom files.
- Run the update.php file in your browser.
- Switch the site out of Maintenance mode and test.
4. Clear Cache: Once you are sure everything has been cleaned and updated, as with any update to your site, you should clear the Drupal cache so the latest version of your site is visible to everyone. I strongly recommend using Drush commands drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7).
How to manually clear the Drupal cache:
- Log into your Drupal website.
- Click Configuration on the menu.
- Under Development click Performance.
- Click the Clear all caches button.
5. Reset user credentials: You should reset all user passwords with unique, strong passwords to avoid reinfection.
How to reset passwords for Drupal user accounts:
- Log into your Drupal administrator area.
- Click People on the menu.
- Click the Edit button under the Operations column for each user.
- Change the user’s password.
3.2 – SET AND DOWNLOAD BACKUPS.
Backups function as a safety net. Now that your Drupal site is clean and you’ve taken some important post-hack steps, make a backup, download and safe keep it. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.
3.3 – SCAN YOUR COMPUTER
Scan your operating system with a reputable anti-virus (Avast, Avira, microsoft Security essential)
Drupal can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.
3.4 – PROTECT YOUR SITE
You can harden your Drupal site by restricting file permissions and implementing custom .htaccess or nginx.conf rules. We recommend reviewing the Drupal Security Docs to learn how.
There are a number of modules and tools that can help you protect your Drupal site and prevent a future hack. Many are free and can make it easier to manage specific aspects of website security.
For any further help cleaning your hacked site or preventing your site from getting hacked, contact Stafflancer @ info@stafflancer.com