25 Years of Programming Community Forum
Blog  Sitemap  Services
June 19, 2013, 08:32:44 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: If you want email notification when someone replies to a topic, click the topic's Notify button.
 
   Home   Help Search Login Register  
This is a link to the Chat Room (for Firefox+ChatZilla) when you are logged in.
View help topic about using Live Chat
25 Years of Programming > General Category > Website Security > Topic: DRUPAL dPh HACK, HOW TO CLEAN MY DRUPAL INSTALL HACKED BY dV AND dCi
Pages: 1   Go Down
« previous next »
  Print  
Author Topic: DRUPAL dPh HACK, HOW TO CLEAN MY DRUPAL INSTALL HACKED BY dV AND dCi  (Read 932 times)
0 Members and 1 Guest are viewing this topic.
buythiscomputer
Newbie
*
Offline Offline

Posts: 1
« on: June 28, 2012, 08:00:55 AM »
DRUPAL dPh HACK, HOW TO CLEAN MY DRUPAL INSTALL HACKED BY dV AND dCi PILLS ?

Hello, I am sorry to write this here as I cannot find any info about Drupal dPh hack, maybe it can be useful to others and maybe I can get some help ?
Sorry also to start a new thread, I just realized that it might be better than writing in another one.

My Drupal website has been hacked and I found in the Drupal install      "includes"     folder a file named       "ssl.inc"
Can you tell me what this file does, how is it run, and if everything is ok now that I have deleted it or if it will be created again to spam my website again ?
It seems that only Google see the dPh keywords ar "dV" "dCi" etc...  as they are not shown on my pages or in the source of my pages but I can see them when i check Google CACHE only.
Thank you for your help an experience about this DRUPAL dPh HACK. Here is what I can see in the "ssl,inc" file:

php function _1343129181($i)
{$a=Array('SFRUUF9VU0VSX0FHRU5U',
'R29vZ2xlYm90',
'SFRUUF9VU0VSX0FHRU5U',
'YmluZ2JvdA==',
'SFRUUF9VU0VSX0FHRU5U',
'bXNuYm90',...
;return base64_decode($a[$i]);

[reason for edit by SteveW: removed most of the malicious code]
« Last Edit: June 29, 2012, 02:07:38 AM by SteveW » Report to moderator   Logged
SteveW
Administrator
Sr. Member
*****
Offline Offline

Posts: 285


WWW
« Reply #1 on: June 29, 2012, 02:15:07 AM »
Hello,

The code you posted from the ssl.inc file was malicious. It contained hyperlinks to about 50 websites selling those drugs. They were served when the visitor to the page was Googlebot, bingbot, or msnbot. That would help explain why only the robots saw the links, and you didn't when you visited your pages yourself. 

(I removed most of the code because there is no point leaving it publicly available.)

Deleting the file was the correct thing to do, but you should find out if Drupal was supposed to have a legitimate file with that name in that folder. If so, you'll need to find the legitimate version of the file, and put it back there. Maybe the Drupal forum can help you. ( http://drupal.org/forum )

Deleting the file was a good first step, but the hackers were able to put the file there because there is a security hole somewhere. You'll need to improve your security or they will put the file there again.

You should do the security precautions described on my page http://25yearsofprogramming.com/blog/20070705.htm and the other related pages.
Report to moderator   Logged
Pages: 1   Go Up
  Print  
25 Years of Programming > General Category > Website Security > Topic: DRUPAL dPh HACK, HOW TO CLEAN MY DRUPAL INSTALL HACKED BY dV AND dCi
 « previous next »
 
Jump to:  

Yahoo! Search
Search the web Search this site
Mazeguy Smilies Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines Valid XHTML 1.0! Valid CSS!