This is about an online store based on Drupal 5.
All of a sudden it didn't work anymore. Upon accessing the site, this error came up:
Parse error: syntax error, unexpected '<' in /home/public_html/index.php on line 38
Upon further inspection I found the following two lines at the end of said index.php:
After manually removing those 2 lines, the site seems to work fine again.
But after more problems (with editing pages) were reported, I found out that actually all the *.js files are "infected". They all contain an extra line at the end:
document.write('');
Has this site been hacked? Upon googling for "blog.nodisposable.com", nothing interesting comes up. That site itself seems legitimate. It's probably hacked itself?
Can anybody explain how this could have happened? What I can do to reverse this? And what I can do to avoid this in the future?
Update
After restoring a backup of the website (not the database) it happened again, but now the script tag pointed to dolfy.sedonahyperbarics.com:8080/XHTML.js.
Apparently, a lot of random Drupal user accounts were created as well. So this might be a sign that it was actually a Drupal vulnerability.
We have them removed, and restricted user account creation to admins only (it should have been that from the beginning, I know :-s). We also changed the admin user password to something more safe.
Let's hope it won't come back now.
No comments:
Post a Comment