In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Healthcare, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

My Drupal Site Has Been Hacked: What Do I Do? How Do I Restore It? 10 Steps to Clean It Up
Drupal
Drupal 8
Tips

My Drupal Site Has Been Hacked: What Do I Do? How Do I Restore It? 10 Steps to Clean It Up

by RADU SIMILEANU on Jun 25 2018

Oops! The worst has happened: your Drupal site has been hacked! Maybe it was precisely one of those critical vulnerabilities, that the Drupal security team has been drawing attention to these last months, that the attacker(s) exploited? 

Now what? What to do?

Should you be:

 

  1. rushing to restore your website to a healthy, good-working state (that, of course, if you do have a clean and recent backup available)?
  2. starting to rebuild it?
  3. investigating how your Drupal site got contaminated in the first place: where's the “open door” that the attackers used to get in?
  4. focusing on closing any backdoors that could make new attacks possible?

     

Now “tormenting” yourself with too many questions simultaneously will only distract you from what should be your main objective: cleaning up your website (and preventing further hacks I should add).

So, let's go about it methodically, step by step:

 

Step 1: Write Down Issues, Steps to Take, Preventive Measures to Apply

Keep your cool and go for a methodical approach to crisis management:

Just open up a document and start... documenting:

 

  • the issues and any suspicious activity that you identify on your site
  • all the steps that your strategy for removing malware and restoring your site should include
  • the preventive security measures you commit to taking for preventing such a scenario from happening again the future

     

Step 2: Make a Forensic Copy of Your Drupal Site 

Before you start running your “investigations” on the attack, on how your Drupal site has been hacked, and way before you get to rebuild anything:

Make a forensic copy of all your files, you database and your operating system environment!

Note: go with an external storage medium for these copies and store them offsite.

As you're scanning through your files, detecting viruses and malware and having them cleaned up, feel free to make new and new “working backups”. And to store them in a different directory (from your regular backup files, I mean).

“But why bother? When will these backups turn out particularly useful?”

 

  1. when you call out to a third party to assist you with the troubleshooting process; these “working” backups will then provide a clear picture of the site before you started “malware detecting” on your own
  2. when you try to fix the issues you detect, but instead you make them worse; then, you can easily roll back those changes 

     

Step 3: Scan Your Servers and PC for Malware, Malicious Code Injections, Viruses

Before you rush to change all the passwords on your site, pause for a moment to think through your next “move”:

What if the attack has been “programmed” so that the attacker should get notified once you change your password(s)? And what if it's precisely your PC or one of your servers that's got infected? Then storing a clean backup of your site precisely there would only make it even more vulnerable.

So, how do you prevent that? You give both your PC and your servers a deep scan before making any change.

And, thank God, you sure aren't nickel and dimed in anti-malware tools and anti-virus software: AVG, BitDefender, Malwarebytes, ESET, AV-Comparatives etc.

 

Step 4: Detect & Remove the Backdoors

One of the crucial steps to take, once you realize that your Drupal site has been hacked, is to “close” all the backdoors.

These could easily turn into hackers' access ticket into your site even after you've removed malware and restored it to its healthy state. But, for closing them you first need to... find them right?

So, where to look?

Here are a few key places on your site that you should focus your “searches” on:

 

  • access logs: while scanning them, be vigilant and look for PHP scrips and POST requests added to directories that have writable access

     
  • eCommerce set up: check all the payment methods, shipping addresses, credit card addresses, linked accounts, looking for any suspicious, newly added data

     
  • passwords: FTP passwords, admin passwords, control panel passwords

     
  • email rules and filters: check that the answers to the security questions are “legitimate”, that messages are being forwarded to correct email addresses etc.

     

Step 5: Consider Taking Your Site Offline

And your decision depends greatly on the nature of your site:

If it's a hacked eCommerce Drupal site that we're talking about here, then don't wait even one more minute: take your site down (along with the internal network and servers) and install a placeholder!

This way, you'll prevent:

 

  • malware from being further distributed
  • spam from being sent to your online store's customers

     

Note: do keep in mind that taking your site offline will instantly let the attackers know that you've detected the malware that they've “infiltrated” and that you are about to “take action”.

If you decide not to take your Drupal site offline at the web server level, ensure that you've got your clean forensic copy at hand before deleting all the sessions.

Note: have you detected suspicious changes of the passwords? If so, use this query here for updating them (Drupal 7):

 

update users set pass = concat('ZZZ', sha(concat(pass, md5(rand()))))

As for the users, they can easily use the reset password tool for updating their passwords.

Word of caution: mind you don't take "Drupal on maintenance mode” for “offline Drupal". They're 2 completely different things! Once your Drupal site has been hacked, the malware could be of such nature that it allows the attacker to infiltrate as long as the site's online.

 

Step 6: Notify Your Hosting Provider That Your Drupal Site Has Been Hacked 

They should be informed about the breach and about your site being taken offline (if it's the case) immediately.

The sooner the better, this way they can:

 

  • start scanning their own systems for incursions
  • get ready to assist you with your site recovery and securing process

     

Step 7: Handle Client Data with Extra Precaution 

And these are the specific scenarios where you'll need to take extra precautions when handling client information:

 

  1. your Drupal site stores client information on the web host
  2. … it leverages the data POST method for sending form data via e-mail
  3. … it doesn't integrate with a 3rd party payment gateway, but manages the payment processes itself

     

If one of these 3 scenarios suits your case, then here are some of these extra precautions that you need to make to ensure the private user data doesn't get exposed:

 

  • update your SSL certificate
  • re-check all logfiles (have any of the hosted client information been copied, updated or downloaded?)
  • implement AVS (address verification system) 
  • add CVV (card verification value)
  • encrypt connections to back-end services used for sending confidential user data 

     

Step 8: Investigate the Attack: Identify the Source(s) of Infection

No matter how much pressure you might find yourself under to get your site back online ASAP, don't let take control over your site's restoring process!

Not until you've detected the main source of contamination on your site. The key vulnerability that attackers exploited, the key reason why your Drupal site has been hacked in the first place.

That being said, make sure that:

 

  1. you first audit, on a staging server, that “clean” backup of your site that you're planning to get online; this way, you track down and remove infected files, unauthorized settings, malicious code 
  2. you compare pre- and post-hack files, looking for any suspicious changes

     

Now if you have a clean (and recent) backup at hand for running this comparison, the problem's almost solved. Just use the right tools to compare your files and track down discrepancies.

But if you don't have a backup at hand, then there's no other way but to:

Manually inspect your files and databases to identify any suspicious changes that have been made.

  • look for any suspicious iframe or JavaScript at the end of the files (if detected, save the code in an external file)
  • look for any sources of “Drupal site hacked redirect”; for links to external URLs

     

Now, as for the places that you should be running your investigations on, let me give you just a few clues:

 

  • .php files, .html files 
  • sessions table 
  • newly modified/created files
  • new/updated user accounts 
  • in writable directories and database 

     

Step 9: Do a Full Restore of Your Site 

So, you've noticed that your Drupal site has been hacked, you've assessed all the damage caused, removed malware and even detected the vulnerability that hackers exploited to get in, not it's only but logical to:

Try to repair your website, right?

Word of caution: never ever run your changes on your production site; instead, fix all detected issues on a staging site. Also, once you've cleaned it all up, remember to run the latest Drupal security updates, as well!

Now, getting back to repairing your site, you have 2 options at hand:

 

  1. you either restore a clean backup, if you know the date and time that your Drupal site has been hacked and you're also 100% sure that none of the system components, other than Drupal, got contaminated
  2. or you rebuild your Drupal site 

     

The latter method is, undoubtedly more cumbersome, yet a lot more cautious. Go for it if:

 

  • you do not know the precise date and time when your site's got contaminated
  • you do not have a clean (and recent) backup available to restore
  • you've evaluated the damages as being already too widespread  

     

Step 10: Give Your Restored Site a Full Check Before Going Live 

Do remember to give your newly recovered site a final audit before getting it back up:

 

  • remove all malicious code detected
  • suspicious files
  • unauthorized settings

     

And, most of all:

Close all the backdoors!

 

Final Word 

A pretty long, complex and discouragingly tedious recovery process, don't you think? 

So, why wouldn't you avoid all these steps that you need to go through once your Drupal site has been hacked?

Why not avoid the risk of finding yourself forced to take your website offsite for... God knows how long, risking to impact your site's reputation and to drive away users/online customers?

Don't you find it wiser to:

 

  • be prepared instead?
  • opt for ongoing Drupal maintenance and support services?
  • make a habit of regularly backing up your website?
  • keep your system and software up to date (and to install all the recommended patches)?
  • stop underrating the security advisories that the Drupal team makes?

     
Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

DrupalTips
Top Drupal Debugging Techniques

Top Drupal Debugging Techniques

  Debugging is an essential part of developing any website, and Drupal is no exception. Debugging in Drupal can be a complex process due to the complexity of the system and its many components. However, with the right techniques, it is possible to identify and resolve issues quickly. In this article, we will discuss some of the top debugging techniques for Drupal that can help you troubleshoot your website more efficiently. We will cover topics such as using the Devel module, using Xdebug, and other helpful tips and tricks. With these techniques in hand, you'll be able to recognize and repair any problems on your Drupal site quickly.     Using the Devel Module for Debugging The Devel module is a powerful tool for debugging Drupal websites. It provides a suite of tools to help you quickly identify and resolve issues. The Devel module includes features such as the ability to view database queries, generate dummy content, and debug PHP code. It also has an API that allows developers to create custom debugging tools. Using the Devel module can be helpful when trying to identify the source of an issue. It can also be used to generate dummy content for testing purposes.     Utilizing Xdebug for Troubleshooting Xdebug is a powerful debugging tool that can be used to troubleshoot issues on Drupal websites. It provides detailed information about the code execution, including stack traces and variable values. This can help developers quickly identify the source of an issue and resolve it more efficiently. Xdebug also has features such as breakpoints, which allow developers to pause the execution of code at certain points to inspect the application's state. This can be helpful when trying to identify and fix complex issues.     Leveraging Drupal's Logging System Drupal's logging system is a powerful tool for debugging websites. It provides detailed information about the events that occur on the website, including errors and warnings. This can be helpful when trying to identify the source of an issue. The logging system also allows developers to set up custom log levels, which can be used to filter out unnecessary information and focus on specific types of events. This can help developers quickly identify and resolve issues.   Using the Drupal Console for Debugging The Drupal Console is a command-line interface that can be used to debug Drupal websites. It provides commands for inspecting the database, generating dummy content, and running tests. This can be helpful when trying to identify and fix issues quickly. The Drupal Console also has an API that allows developers to create custom commands for debugging purposes.   Have You Completed Your Drupal 10 Migration? The release of Drupal 10 marks a major milestone for the platform, and it is important to ensure that your website is up-to-date with the latest version. Migrating to Drupal 10 can be a complex process, but it is essential for ensuring that your website remains secure and performs optimally. When migrating to Drupal 10, it is important to test the website thoroughly and use debugging techniques to identify and resolve any issues. The Devel module, Xdebug, and Drupal's logging system can all be used to troubleshoot any problems that may arise during the migration process. Don't forget to ensure that all of the modules and themes used on the website are compatible with Drupal 10. It is recommended to use the Update Status module to check for any available updates and apply them before migrating to Drupal 10. Additionally, it is a good idea to create a backup of your website before beginning the migration process in case something goes wrong. By taking these steps, you can ensure that your website is properly migrated and running smoothly on Drupal 10.     Conclusion Debugging in Drupal can be a complex process, but with the right techniques, it is possible to debug your website faster and easier. If you need more advice on your next web development project or on your Drupal 10 migration, our team of experts is here to help you. Contact us for more details.   Photo credit: Unpslash.... Read more
Raluca Olariu / Jan 16'2023
DrupalTips
Troubleshoot Your Website in 8 Easy Steps

Troubleshoot Your Website in 8 Easy Steps

  Having a website that runs smoothly is essential for any business. Unfortunately, website issues can arise from time to time and can be difficult to troubleshoot. The good news is that there are some simple steps you can take to identify and resolve common website problems. In this article, we'll discuss eight easy steps you can take to troubleshoot your website quickly and efficiently. With these tips, you'll be able to get your website back up and running in no time. 1. Check Your Server Status. The first step in troubleshooting your website is to check the status of your server. If your server is down or experiencing issues, it could be the cause of any problems you're having with your website. You can check the status of your server by accessing the control panel for your hosting provider. This will give you an overview of any issues that may be affecting your server and allow you to take the necessary steps to resolve them. 2. Review Your Website Logs. After checking your server status, your next step is to review your website logs. Logs are a great way to identify any errors or issues that may be occurring on your website. Reviewing the log files lets you pinpoint the exact source of the problem and take steps to resolve it quickly. Logs can also provide valuable insights into how visitors interact with your website, which can help you optimize your website for better performance. 3. Test Your Website Performance. The third step in troubleshooting your website is to test its performance. This can be done by using a tool such as Google PageSpeed Insights or WebPageTest. These tools will analyze your website and provide you with detailed information about its loading speed, page size, and other performance metrics. This will allow you to identify any areas of improvement that could help improve the overall performance of your website. 4. Inspect Your Code for Errors. If you've tested your website performance, your next step is to inspect your code for errors. This can be done by using a tool such as Firebug or Chrome DevTools. These tools will allow you to view your website's HTML, CSS, and JavaScript code and identify any errors that may be causing issues. Once you have identified the errors, you can take steps to fix them and ensure that your website is running smoothly. 5. Check for Broken Links. The fifth step in troubleshooting your website is to check for broken links. Broken links can cause a variety of issues, such as slow loading times and poor user experience. Various tools can help you identify any broken links on your website, such as Screaming Frog or Xenu Link Sleuth. Once you have identified the broken links, you can take steps to fix them and ensure that your website is running smoothly on all platforms, including mobile devices. 6. Ensure You Have the Latest Updates Installed. Ensuring that you have the latest updates installed is imperative if you want a highly performant website. Outdated software can cause a variety of issues, such as security vulnerabilities and compatibility problems. It's important to keep your website up-to-date with the latest versions of any software or plugins you may be using. You can check for updates by accessing the control panel for your hosting provider or by using a tool such as WP Updates Notifier. 7. Analyze Traffic Patterns to Identify Issues. You should also analyze traffic patterns to identify any issues that may be causing your website to perform poorly. Analyzing traffic patterns can help you identify any areas of your website that may be causing problems, such as slow loading times or high bounce rates. You can use tools such as Google Analytics or Hotjar to track and analyze user behavior on your website. This will allow you to identify any potential issues and take steps to resolve them. 8. Monitor Your Website Regularly. Finally, remember to monitor your website regularly, as it will allow you to identify any potential issues before they become serious problems. You can use tools such as Uptime Robot or Pingdom to monitor your website's uptime and performance. In this way, you can ensure that your website is running smoothly and that any potential issues are identified quickly so that they can be addressed promptly.   Drupal 10 for High Website Performance Drupal 10, launched last month, is the latest version of one of the most powerful content management systems that can help you achieve high website performance. Drupal 10 offers a range of features designed to improve the speed and efficiency of your website, such as caching, minification, and optimization.  Among the best features we can find: Symfony 6 compatibility. Site owners and module developers will benefit from as much Symfony 6 compatibility as possible, and Symfony 4 deprecations in Drupal 9 for Symfony 5 will be resolved. Supported solutions for rebuilding jQuery UI functionality by using either vanilla JavaScript or frameworks like React. jQuery UI components used by Drupal core will be removed. Best practices for deprecating modules. Users will be able to use a proper mechanism for naming, versioning, deprecating wrappers, etc. A 'lifecycle' - property can be used in info.yml files for themes and modules. Better decoupled developer and site builder experiences, especially for menu and URL handling. Introduction of CKEditor 5 with better authoring experience and more modern editing (replacing CKEditor 4). PHP 8.1 compatibility for Drupal 9 and Drupal 10. Theme Starterkit tools for bespoke theme creation. You can learn more about how Drupal 10 can take your website to the next level in this article. Drupal 10 Migration If you're considering migrating to Drupal 10, we can help. Optasy's team of highly skilled developers can help you migrate your website to Drupal 10 quickly and efficiently. We can also provide ongoing support and maintenance for your website, ensuring it runs smoothly and optimally. Contact us today to learn more about our Drupal 10 migration services.   Photo credit: Pixabay.... Read more
Raluca Olariu / Jan 11'2023
DrupalNews
Why You Should Choose Drupal 10 in 2023

Why You Should Choose Drupal 10 in 2023

  As technology continues to evolve, it is important for businesses to stay ahead of the curve and choose the right platform for their website. Drupal 10 was released in December 2022, and it promises to be a powerful and reliable content management system (CMS). With its advanced features, scalability, security, and flexibility, Drupal 10 is an ideal choice for businesses looking to build a modern website. In this article, we will discuss why you should choose Drupal 10 for your next web development project. Advanced Features of Drupal 10 Drupal 10 comes with a range of advanced features that make it an ideal choice for businesses looking to build a modern website. These features include: Automatic Updates: Drupal 10 offers automatic updates, so you can keep your website up-to-date without having to manually update the software. This ensures that your website is always running the latest version of Drupal and is secure from any potential security threats. Responsive Design: Drupal 10 comes with a responsive design that ensures your website looks great on any device, from desktop computers to mobile phones. This makes it easier for users to access your website from any device and helps to improve user experience. Accessibility: Drupal 10 is designed with accessibility in mind, making it easier for people with disabilities to access your website. This helps to ensure that your website is accessible to everyone, regardless of their abilities. Multilingual Support: Drupal 10 supports multiple languages, so you can easily create a multilingual website that caters to a global audience. This makes it easier for businesses to reach out to a wider range of customers and expand their customer base. SEO Optimization: Drupal 10 comes with built-in SEO optimization tools that help to improve your website’s visibility in search engine results. This makes it easier for customers to find your website and helps to increase traffic and conversions.   Scalability and Flexibility  Drupal 10 is highly scalable and flexible, making it easy to customize your website to meet your specific needs. You can easily add new features and functionality to your website without having to start from scratch. This makes it easier for businesses to keep up with changing customer demands and stay ahead of the competition. Additionally, Drupal 10 is built on a modular architecture that allows you to easily add and remove modules as needed. This makes it easy to customize your website and keep it up-to-date with the latest features.   Security Benefits Drupal 10 is built with security in mind, making it one of the most secure content management systems available. It comes with a range of security features that help to protect your website from potential threats, such as SQL injection attacks and cross-site scripting. Additionally, Drupal 10 is regularly updated with the latest security patches to ensure that your website is always secure.   Cost-Effectiveness Cost-effectiveness is another major benefit of choosing Drupal 10 for your next web development project. Drupal 10 is an open source platform, meaning that it is free to use and customize. This makes it a cost-effective solution for businesses looking to build a website without breaking the bank. Additionally, Drupal 10 comes with a range of features and functionality that can help you save time and money when building your website.   Why Choose Drupal 10 in 2023? Selecting Drupal 10 in 2023 is a great choice for businesses looking to build a website that is secure, reliable, and cost-effective. Drupal 10 offers automatic updates, responsive design, multilingual support, SEO optimization, scalability and flexibility, and security benefits.  Migrate to Drupal 10 If you’re currently using an older version of Drupal, you can easily migrate to Drupal 10. The migration process is straightforward and can be completed quickly with the help of a professional web development team like Optasy. This will ensure that your website is up-to-date and secure, so you can continue to provide customers with the best possible experience. Contact us for more information about your migration process. Learn more about Drupal 10 by reading this blog post.   Photo credit: Unsplash.... Read more
Raluca Olariu / Jan 05'2023

Need a new Project?

Dare us to shape and boost your idea(s)!

Start a Project

(416) 243-2431

Contact

(416) 243-2431

Toronto Downtown

First Canadian Place,
100 King St. W. Suite 5700, Toronto

Toronto West

2275 Upper Middle
Rd. E, Suite 101
Toronto

New York

1177 Avenue of the
Americas, 5th Floor,
New York