One of my drupal sites was hacked.
I had forgotten to update it to the latest core, but it was interesting to see what the 'hacker' installed anyway. This is what the hacker installed in the drupal root.
- Y8QRtVMn.php (webshell)
- browser.php (I have no idea)
- common.php (I have no idea)
- content.php (I have no idea)
- en.php (I have no idea)
- index.php (The drupal ddefault index.php with some lines inserted in the top.)
All of these files are obfuscated. The other php files are drupal update, xmlrpc and cron.php, those are unaltered.
When rendered in the index.php
It seems this renders your webserver as a spam email relay too. references are made to http://188.8.131.52/12345nbvvd.php