The last couple of months a lot of Drupal web sites were hacked, because of some kind of vulnerabilities existed in the code. There are still more 800.000 websites using Drupal 7, and thank god that the Drupal security team still supports and release security updates for this version.
Your site is based on Drupal 7 as well? Do you know if this is hacked? Are you sure? Read below 10 steps to follow to check if your Drupal site is hacked, using multiple tools.
Install the module Hacked which scans the Drupal core modules and code, as well as the contributed modules, to find if there are changes to their code. Hacked shows the changes in a separate screen, marking the changed modules with red color, so that it can be recognized easily, and because this is an ALERT.
If a module is changed, then remove it and reinstall it. The best way would be to completely uninstall it, but some times this is not possible to do. So, just replace it’s files.
Remember to disable this module when you finish all your checks, as this is a developer module and should not be enabled on a production website.
One more useful module to use is the Security Review, which makes a few tests on the files, settings.php config, user’s settings, MySQL errors and many other necessary checks. A misconfiguration on any of them might make your site insecure and easy to be hacked.
This module shows a list of all the checks it does, marking with red the failed ones and with green the secure ones. You better don’t have any red line there, but it is up to you to fix it or not.
Connect to your server using your terminal and maybe a secure connection using SSH. Go to the root of your website, where you can run a few commands to check all the website files.
To find if there are files that contain PHP code used to write files to your server using your apache user or attacks other websites, I use the following commands:
grep ‘@include’ ./* -R grep 'die(passthru' ./* -R grep 'base64_decode' ./* -R
The above commands will scan all the files, even those that are under any folder, to find a pattern, and will show you a list of them, with a part of the code. When you see this parts of code you will understand if these files are hacked. Most of the times the code is written with hex equivalent of each character, which when are decoded and executed create other files to spread their existence and to be more difficult for someone to track down.
You will find the hacking code at the first lines of the files and you have to remove it with an editor. You better use VIM or Nano, it depends with which one you are more familiar.
It happens a lot of times the hacking code to exist in the public folder where images are upload. Usually this is under sites/default/files folder.
To find if there are PHP files in this folder, run the following commands at the terminal:
cd sites/default/files find . | grep '.php'
The first command change the current directory where the user is to the sites/default/files. If your files are under a different path, then you have to change this command with your path.
The second command searches for all the files and folders that have .php in their name. If you find such files, then you better delete them, as they are not used by Drupal itself, and it is not a good place to have PHP files.
Check the .htaccess files to be the same with the ones that come with the Drupal archive and with Drupal.org guidelines. Maybe there are changes that you did a lot time ago that lets code to execute PHP files in a way it shouldn’t.
.htaccess files commonly they are under the Drupal root folder and under the public files folder (sites/default/files).
Clear all the files in the temporary folder and be sure that this is outside the root folder of your website.
If you are not sure about it, and your server is a Linux server, then use the /tmp of the system. To make this change you can go at the admin/config/media/file-system of your website and change the path at the Temporary folder field.
Check your Apache error logs for weird reports, such as a code that has Warnings or Errors because it can’t find a specific file in specific folder.
If you do not recognize that code, maybe it is a hacking code. You better check this out as well.
You found a few hacked files and you cleared them? That’s great. You better now chmod these files. I mostly change them to 644 which prevents anyone to write on these files but it remains executable by the owner.
This can be done in terminal by:
chmod 644 index.php
Uninstall and remove all those modules that you do not use any more. Check those JS libraries you installed once but didn’t fullfill your needs, and they remained in your website. Remove them all.
If you do, not only your website will be more secure, you will also gain some speed. If you want to test something or check a new module, you better do it on your development environment, and not on your production. You better play safe on that and you won’t regret it.
Let’s be honest. Most of the times a website is hacked is because the DevOps or the developers do not update the core code of the CMS, no matter which one you use.
It is not big deal to do that and keep your sites updated. There are available a lot of tools to help us do this job even faster, such as Drush, Composer and many others. Use them, create scripts to auto-update your sites. Even if your client doesn’t pay for that. You better have a good fame that the sites you develop and the tools you use are secure, than having a few websites hacked.