Skip to content

woutersf/help_me_clear_this_up

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
README.md
README.md
 
 
Y8QRtVMn.php
Y8QRtVMn.php
 
 
authorize.php
authorize.php
 
 
browser.php
browser.php
 
 
browser.readable.php
browser.readable.php
 
 
browser_decoded.php
browser_decoded.php
 
 
common.php
common.php
 
 
common.readable.php
common.readable.php
 
 
common_decoded.php
common_decoded.php
 
 
content.php
content.php
 
 
content.readable.php
content.readable.php
 
 
cron.php
cron.php
 
 
en.php
en.php
 
 
en.readable.php
en.readable.php
 
 
forum.php
forum.php
 
 
forum.readable.php
forum.readable.php
 
 
home.php
home.php
 
 
home.readable.php
home.readable.php
 
 
index.php
index.php
 
 
index.readable.php
index.readable.php
 
 
info.php
info.php
 
 
info.readable.php
info.readable.php
 
 
install.php
install.php
 
 
lib.php
lib.php
 
 
lib.readable.php
lib.readable.php
 
 
main.php
main.php
 
 
main.readable.php
main.readable.php
 
 
message.php
message.php
 
 
message.readable.php
message.readable.php
 
 
mirror.php
mirror.php
 
 
mirror.readable.php
mirror.readable.php
 
 
msg.php
msg.php
 
 
msg.readable.php
msg.readable.php
 
 
new_index.php
new_index.php
 
 
phppT0aGX
phppT0aGX
 
 
registry_rebuild.php
registry_rebuild.php
 
 
update.php
update.php
 
 
user89.php
user89.php
 
 
xmlrpc.php
xmlrpc.php
 
 

Repository files navigation

#One of my drupal sites was hacked.

I had forgotten to update it to the latest core, but it was interesting to see what the 'hacker' installed anyway. This is what the hacker installed in the drupal root.

files

  • Y8QRtVMn.php (webshell)
  • browser.php (I have no idea)
  • common.php (I have no idea)
  • content.php (I have no idea)
  • en.php (I have no idea)
  • forum.php
  • home.php
  • index.php (The drupal ddefault index.php with some lines inserted in the top.)
  • info.php
  • lib.php
  • main.php
  • message.php
  • mirror.php
  • msg.php

All of these files are obfuscated. The other php files are drupal update, xmlrpc and cron.php, those are unaltered.

When rendered in the index.php

the behavior was like so: At first you see the site as usual, then javascript kicks in (this php seems to render en|decodeURI encoded javascript).

what else

It seems this renders your webserver as a spam email relay too. references are made to http://78.138.118.127/12345nbvvd.php

http://78.138.127.174/2701dfbvcxff.php

http://javaterm.com/green/backlinker.php

http://javaterm.com/shaman/shaman.php

About

One of my sites was hacked, please help me clear this up.

Resources

Readme
Activity

Stars

55 stars

Watchers

12 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages