One of our key tasks here at P4D is keeping malware out of websites.
Some customers rely on our Google-Cloud based infrastructure which we guarantee to keep up-to-date at every level (From the OS to the Web App itself), but some agencies have their own infrastructure and rather sooner than later
shit malware happens.
Today we had to deal with a backdoor which infects outdated Drupal installations: b374k Jayalah Indonesiaku (https://kb.sucuri.net/malware/signatures/php.backdoor.b374k-shell)
To make things more complicated, the agency uses a shared hosting environment which only granted us PHPMyAdmin and SFTP. We were on for a ride.
The symptom was a blank page while trying to access /user path. A simple log review showed a 404 error was being thrown and the first suspicion was a problem with the .htaccess file. I viewed the .htaccess and indeed it wasn’t the default one for a Drupal installation. A quick replace with the newest Drupal .htaccess rendered the site usable again, but login with admin user wasn’t possible. A reset password granted us a one time access which lead us to discover that every admin page had a b374k Jayalah Indonesiaku label on the footer.
Note: Investigating the users table in the DB, the admin user was found to be missing, and a new username assigned to it: “mohmad“.
Meanwhile a backup of the site and database was made in order to rollback if necessary.
To begin the real cleaning we identified several .php files inside the server root which were backdoors: mad.php, ini.php, etc. We immediatly deleted them. Every Drupal Core folder was deleted: includes, misc, modules, profiles, scripts, themes. Every Drupal file from the root was deleted: authorize.php, cron.php, index.php, etc.
The latest Drupal 7.x installation was then uploaded. (Drupal 7.38 in this case)
The update script (“/update.php”) was run. (Not without first allowing live updates changin the settings.php config file).
Once updated, with the one-time login still valid we sought to update every module but it failed everytime. Some error regarding AJAX b374k Jayalah Indonesiaku. b374k Jayalah Indonesiaku.
Something was still messing the DB, as all the files were fresh new. A simple search for %b374k% showed field_data_body, cache_field, field_revision_body Drupal tables had some infection code. The rows were directly deleted as per recommendation from http://drupalanswerscm.blogspot.com.ar/2015/01/web-site-hacked-jayalah-indonesiaku.html
The final steps:
- The admin user was restored via DB.
- A password reset forced for every user
- The FTP single user password was reset.
- All permissions verified to be 644 for regular files, 755 for folders.
The site is holding on as for the time of this writing, and if kept up-to-date it should not offer more trouble.
Comments & Questions are welcome!