Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
One of my sites was hacked, please help me clear this up.
PHP
branch: master
Failed to load latest commit information.
README.md Update README.md
Y8QRtVMn.php added all php files in docroot
authorize.php added all php files in docroot
browser.php added all php files in docroot
browser.readable.php added readable versions of the code...
browser_decoded.php trying to decrypt browser.php
common.php added all php files in docroot
common.readable.php added readable versions of the code...
common_decoded.php decoed common.php
content.php added all php files in docroot
content.readable.php added readable versions of the code...
cron.php added all php files in docroot
en.php added all php files in docroot
en.readable.php added readable versions of the code...
forum.php added all php files in docroot
forum.readable.php added readable versions of the code...
home.php added all php files in docroot
home.readable.php added readable versions of the code...
index.php Update index.php
index.readable.php added readable versions of the code...
info.php added all php files in docroot
info.readable.php added readable versions of the code...
install.php added all php files in docroot
lib.php added all php files in docroot
lib.readable.php added readable versions of the code...
main.php added all php files in docroot
main.readable.php added readable versions of the code...
message.php added all php files in docroot
message.readable.php added readable versions of the code...
mirror.php added all php files in docroot
mirror.readable.php added readable versions of the code...
msg.php added all php files in docroot
msg.readable.php added readable versions of the code...
new_index.php added all php files in docroot
registry_rebuild.php added all php files in docroot
update.php added all php files in docroot
xmlrpc.php added all php files in docroot

README.md

One of my drupal sites was hacked.

I had forgotten to update it to the latest core, but it was interesting to see what the 'hacker' installed anyway. This is what the hacker installed in the drupal root.

files

  • Y8QRtVMn.php (webshell)
  • browser.php (I have no idea)
  • common.php (I have no idea)
  • content.php (I have no idea)
  • en.php (I have no idea)
  • forum.php
  • home.php
  • index.php (The drupal ddefault index.php with some lines inserted in the top.)
  • info.php
  • lib.php
  • main.php
  • message.php
  • mirror.php
  • msg.php

All of these files are obfuscated. The other php files are drupal update, xmlrpc and cron.php, those are unaltered.

When rendered in the index.php

the behavior was like so: At first you see the site as usual, then javascript kicks in (this php seems to render en|decodeURI encoded javascript).

what else

It seems this renders your webserver as a spam email relay too. references are made to http://78.138.118.127/12345nbvvd.php

http://78.138.127.174/2701dfbvcxff.php

http://javaterm.com/green/backlinker.php

http://javaterm.com/shaman/shaman.php

Something went wrong with that request. Please try again.