HOW TO CLEAN A HACKED DRUPAL WEBSITE

Home / Drupal development / HOW TO CLEAN A HACKED DRUPAL WEBSITE
25May
October 24th, 2020 01:04 pm May 25, 2019

Your Drupal site got hacked. Now what?

The worst case scenario has come to pass: a vulnerability somewhere allowed a malicious individual (or bot, more likely) to take over your site. The good news is: you have noticed it. Well, the bad news: You have to clean it up.

In this blog, I shall be showing you the necessary steps you need to clean your hacked drupal site, and also ways to prevent it from ever happening again.

How to know if your site has been hacked.

  • Host suspended your site for malicious activity
  • File modifications or Drupal core integrity issues
  • Unknown files under sites/default/files
  • Unexpected, slow, or abnormal site behavior
  • Malicious new users in the Drupal dashboard.
  • New nodes from an unauthorized user
  • Spam keywords in nodes and search engine content

STEP 1: IDENTIFY THE HACK

1.1 – SCAN YOUR WEBSITE

The first thing to do is to scan your site so as to see which files or data has been corrupted by the hack. There are several online scanners and Drupal extensions can also help you look for indicators of compromise, malicious payloads, and other security issues. Tools for checking security misconfigurations in Drupal could help you identify possible attack vectors.

  • Visit an online site scanner (e.g https://webscan.foregenix.com/)
  • Put your website and click “SCAN NOW”
  • If the site is infected, review the warning message.
  • Note any vulnerabilities, blacklists, and SSl certificate warnings

If you are hosting multiple sites on your server, I recommend scanning them all. Cross-site contamination is one of the leading causes of reinfections. See the Drupal Multisite  Docs for more info.

1.2 – CHECK MODIFIED FILES

New or recently modified Drupal files may be part of a hack. Your core, contributed, and custom modules should also be checked against known good copies to identify malware injections.

The quickest way to confirm the integrity of your Drupal files is by using git status (or another version control system) to check for changes, commit any new branches, and then roll back to the last known good set of code. You can also use the Hacked! module for Drupal to get a report of any integrity issues with your core files and modules.

1.3 – AUDIT USER LOGS

Verify and remove any unknown Drupal user accounts, especially administrators.

How to check for malicious users in Drupal:

  • Log into your Drupal admin interface (yoursite.com/user/login)
  • Click People on the menu.
  • Review the list, especially ones recently created under the Member For column.
  • Remove any unfamiliar users that were created by hackers.
  • Check the Last Access Time of legitimate users (may indicate compromised account).
  • Confirm any users that logged in at suspicious times.

1.4 – CHECK DIAGNOSTIC PAGES

If your Drupal site has been blacklisted by Google or other website security authorities, you can use their diagnostic tools to check the security status of your Drupal website. You can visit Safe Browsing Site Status to check your site transparency report.

If you have added your site to any free webmaster tools, you can check their security ratings and reports for your website.

STEP 2: REMOVE THE HACK

The best way to identify hacked files is by comparing the current state of the site with an old and clean backup. If a backup is available, you can use that to compare the two versions and identify what has been modified.

2.1 – CLEAN HACKED WEBSITE FILES

If any scans or diagnostic pages revealed malicious domains or payloads, you can start by looking for those files on your Drupal web server. If you use a version control system like git, you can rollback to a known good copy, delete new suspicious files, and checkout to revert any maliciously modified files.

By comparing infected files with known good files (from official sources or reliably clean backups) you can identify and remove malicious changes.

How to manually remove a malware infection from your Drupal files:

  • Log into your server via SFTP or SSH.
  • Create a backup of the site files before making changes.
  • Search your files for reference to malicious domains or payloads you noted.
  • Identify recently changed files and confirm whether they are legitimate.
  • Review files flagged during the core file integrity check.
  • Restore or compare suspicious files with clean backups or official sources.
  • Remove any suspicious or unfamiliar code from your custom files.
  • Test to verify the site is still operational after changes.

2.2 – CLEAN HACKED DATABASE TABLES

To remove a malware infection from your Drupal database, you need to open a database admin panel, such as PHPMyAdmin. You can also use tools like Adminer.

How to manually remove a malware infection from Drupal database tables:

  • Log into your database admin panel.
  • Make a backup of the database before making changes.
  • Search for suspicious content (i.e., spammy keywords, links).
  • Open the table that contains suspicious content.
  • Manually remove any suspicious content.
  • Test to verify the site is still operational after changes.
  • Remove any database access tools you may have uploaded.

You can manually search your Drupal database for common malicious PHP functions, such as eval, base64_decode, gzinflate, preg_replace, str_replace, etc. Note that these functions are also used by Drupal extensions for legitimate reasons, so be sure you test changes or get help so you do not accidentally break your site.

2.3 – REMOVE HIDDEN BACKDOORS

Hackers always leave a way to get back into your site. More often than not, we find multiple backdoors of various types in hacked Drupal sites.

Backdoors are usually embedded in files that are named just like legitimate files within the official Drupal framework but located in the wrong directories. Attackers can also inject backdoors into files like index.php and directories like /modules, /themes, /sites/all/modules, and /sites/all/themes.

Backdoors commonly include the following PHP functions: base64, tripslashes, eval, exec, location.href, file_get_contents, gzuncompress, move_uploaded_file, stream, e.t.c

2.4 – FIX MALWARE WARNINGS

If you were blacklisted by Google, McAfee, Yandex (or any other web spam authorities), you can request a review after the hack has been fixed. Google is now limiting known repeat offenders to one review request every 30 days. Be sure your site is clean before requesting a review!

How to remove malware warnings from your site:

  • Contact your hosting company and ask them to remove the suspension.
  • You may need to provide details about how you removed the malware.
  • Fill in a review request form for each blacklisting authority.
  • ie. Google Search Console, McAfee SiteAdvisor, Yandex Webmaster.The review process can take several days.

STEP 3: POST HACK

In this step , you will learn how to prevent your site from getting hacked in the first place (As the saying “prevention is better than cure”). Not just that. You will also learn the essential steps to securing your drupal site.

3.1 – UPDATE AND RESET

Outdated software is one of the leading causes of infection, and it is important to remove any known vulnerable extensions. Though Drupal uses a secure hashing algorithm to prevent passwords from being hacked, it’s always a good idea to reset passwords to ensure you are not reinfected if hackers have access to your credentials.

1.Clear active sections: To clear active sections follow the following steps:

  • Log into your database admin panel.
  • Open the sessions table.
  • Select Empty to remove all logs from the table.
  • All users should now be logged out.

2. Reset your API keys: Your API keys in Drupal should be reset to ensure they have not been compromised by the attackers. Additionally, if your website connects to external services (such as marketing services, payment gateways, and shipping providers) it is a good idea to create new API keys created for those services.

3. Update your site drupal core and extension: Update all Drupal software including core files, themes, and modules. To update drupal software, I recommend using DRUSH.

Drupal 8.7.0 is the latest drupal version (as of the date when this blog was written). Drupal 7 continues to receive updates for some known vulnerabilities. We recommend keeping an eye on the Drupal Security page for security alerts. Users on the 6.x branch or lower are no longer receiving security patches and strongly encouraged to upgrade to 8.7.0 ASAP.

How to manually update your site Drupal core files:

  • Make sure you have a recent backup of your site.
  • Click Configuration on the menu under Development select Maintenance mode.
  • Delete everything except for the sites folder and custom files.
  • Upload the new Drupal files, taking care not to overwrite custom files.
  • Run the update.php file in your browser.
  • Switch the site out of Maintenance mode and test.

4. Clear Cache: Once you are sure everything has been cleaned and updated, as with any update to your site, you should clear the Drupal cache so the latest version of your site is visible to everyone. I strongly recommend using Drush commands drush cache-rebuild (Drupal 8) or drush cache-clear all (Drupal 7).

How to manually clear the Drupal cache:

  • Log into your Drupal website.
  • Click Configuration on the menu.
  • Under Development click Performance.
  • Click the Clear all caches button.

5. Reset user credentials: You should reset all user passwords with unique, strong passwords to avoid reinfection.

How to reset passwords for Drupal user accounts:

  • Log into your Drupal administrator area.
  • Click People on the menu.
  • Click the Edit button under the Operations column for each user.
  • Change the user’s password.

3.2 – SET AND DOWNLOAD BACKUPS.

Backups function as a safety net. Now that your Drupal site is clean and you’ve taken some important post-hack steps, make a backup, download and safe keep it. Never store backups (or old versions) on your server; they can be hacked and used to compromise your real site.

3.3 – SCAN YOUR COMPUTER

Scan your operating system with a reputable anti-virus (Avast, Avira, microsoft Security essential)

Drupal can be compromised if a user with an infected computer has access to the dashboard. Some infections are designed to jump from a computer into text editors or FTP clients.

3.4 – PROTECT YOUR SITE

You can harden your Drupal site by restricting file permissions and implementing custom .htaccess or nginx.conf rules. We recommend reviewing the Drupal Security Docs to learn how.

There are a number of modules and tools that can help you protect your Drupal site and prevent a future hack. Many are free and can make it easier to manage specific aspects of website security.

For any further help cleaning your hacked site or preventing your site from getting hacked, contact Stafflancer @ info@stafflancer.com

Tags:
Christopher Akinboboye

Christopher is the founder and CEO of Stafflancer, a development studio specialized in web, and application development. He is a self thought Drupal and wordpress developer, Business management and Project management. He has used his experience to help clients all over the globe to maximize their profits through the development of outstanding digital projects

Related Posts

14Feb5 essential components of a performing website
+
December 8th, 2021 10:09 am February 14, 2021
5 essential components of a performing website
Purpose and Objective of the site: It’s absolutely essential to actually define the objectives of your website before you do anything else, as this will drive everything that follows. As strange as it may sound, I have had some potential clients who want to develop websites but have no idea what they want, and instead,...
Continue reading
1JanTop 10 Drupal modules to have
+
December 8th, 2021 09:57 am January 1, 2021
Top 10 Drupal modules to have installed for your new Drupal 9 websites.
Firstly, let me take this opportunity to wish everyone reading this post a very happy new year from the Stafflancer family. With Drupal 8 end of life scheduled to be on the 2nd of November 2021, and Drupal 7 end of life extended till November 2022, it makes absolute sense to start new drupal projects...
Continue reading

Leave a Reply

About

Our Mission is to deliver custom IT solutions for our customers, while being transparent, and open, so that our customers could follow and participate. 

Reviews

Get in touch

We'd love to hear from you. Follow us on social media for our latest contents.

+38 067 663 4814
+38 067 663 4814
info@stafflancer.com
info@stafflancer.com
Follow Us:
Follow Us:

Copyright © 2020 All rights reserved. Stafflancer

Privacy Policy     |      Cookies Notice     |     T & C 

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap