In light of the recent COVID-19 pandemic - OPTASY would like to offer DRUPAL website support for any Health Care, Government, Education and Non-Profit Organization(s) with critical crisis communication websites or organizations directly providing relief. Stay Safe and Stay Well.

My Drupal Site Has Been Hacked: What Do I Do? How Do I Restore It? 10 Steps to Clean It Up

My Drupal Site Has Been Hacked: What Do I Do? How Do I Restore It? 10 Steps to Clean It Up

by RADU SIMILEANU on Jun 25 2018

Oops! The worst has happened: your Drupal site has been hacked! Maybe it was precisely one of those critical vulnerabilities, that the Drupal security team has been drawing attention to these last months, that the attacker(s) exploited? 

Now what? What to do?

Should you be:

 

  1. rushing to restore your website to a healthy, good-working state (that, of course, if you do have a clean and recent backup available)?
  2. starting to rebuild it?
  3. investigating how your Drupal site got contaminated in the first place: where's the “open door” that the attackers used to get in?
  4. focusing on closing any backdoors that could make new attacks possible?

     

Now “tormenting” yourself with too many questions simultaneously will only distract you from what should be your main objective: cleaning up your website (and preventing further hacks I should add).

So, let's go about it methodically, step by step:

 

Step 1: Write Down Issues, Steps to Take, Preventive Measures to Apply

Keep your cool and go for a methodical approach to crisis management:

Just open up a document and start... documenting:

 

  • the issues and any suspicious activity that you identify on your site
  • all the steps that your strategy for removing malware and restoring your site should include
  • the preventive security measures you commit to taking for preventing such a scenario from happening again the future

     

Step 2: Make a Forensic Copy of Your Drupal Site 

Before you start running your “investigations” on the attack, on how your Drupal site has been hacked, and way before you get to rebuild anything:

Make a forensic copy of all your files, you database and your operating system environment!

Note: go with an external storage medium for these copies and store them offsite.

As you're scanning through your files, detecting viruses and malware and having them cleaned up, feel free to make new and new “working backups”. And to store them in a different directory (from your regular backup files, I mean).

“But why bother? When will these backups turn out particularly useful?”

 

  1. when you call out to a third party to assist you with the troubleshooting process; these “working” backups will then provide a clear picture of the site before you started “malware detecting” on your own
  2. when you try to fix the issues you detect, but instead you make them worse; then, you can easily roll back those changes 

     

Step 3: Scan Your Servers and PC for Malware, Malicious Code Injections, Viruses

Before you rush to change all the passwords on your site, pause for a moment to think through your next “move”:

What if the attack has been “programmed” so that the attacker should get notified once you change your password(s)? And what if it's precisely your PC or one of your servers that's got infected? Then storing a clean backup of your site precisely there would only make it even more vulnerable.

So, how do you prevent that? You give both your PC and your servers a deep scan before making any change.

And, thank God, you sure aren't nickel and dimed in anti-malware tools and anti-virus software: AVG, BitDefender, Malwarebytes, ESET, AV-Comparatives etc.

 

Step 4: Detect & Remove the Backdoors

One of the crucial steps to take, once you realize that your Drupal site has been hacked, is to “close” all the backdoors.

These could easily turn into hackers' access ticket into your site even after you've removed malware and restored it to its healthy state. But, for closing them you first need to... find them right?

So, where to look?

Here are a few key places on your site that you should focus your “searches” on:

 

  • access logs: while scanning them, be vigilant and look for PHP scrips and POST requests added to directories that have writable access

     
  • eCommerce set up: check all the payment methods, shipping addresses, credit card addresses, linked accounts, looking for any suspicious, newly added data

     
  • passwords: FTP passwords, admin passwords, control panel passwords

     
  • email rules and filters: check that the answers to the security questions are “legitimate”, that messages are being forwarded to correct email addresses etc.

     

Step 5: Consider Taking Your Site Offline

And your decision depends greatly on the nature of your site:

If it's a hacked eCommerce Drupal site that we're talking about here, then don't wait even one more minute: take your site down (along with the internal network and servers) and install a placeholder!

This way, you'll prevent:

 

  • malware from being further distributed
  • spam from being sent to your online store's customers

     

Note: do keep in mind that taking your site offline will instantly let the attackers know that you've detected the malware that they've “infiltrated” and that you are about to “take action”.

If you decide not to take your Drupal site offline at the web server level, ensure that you've got your clean forensic copy at hand before deleting all the sessions.

Note: have you detected suspicious changes of the passwords? If so, use this query here for updating them (Drupal 7):

 

update users set pass = concat('ZZZ', sha(concat(pass, md5(rand()))))

As for the users, they can easily use the reset password tool for updating their passwords.

Word of caution: mind you don't take "Drupal on maintenance mode” for “offline Drupal". They're 2 completely different things! Once your Drupal site has been hacked, the malware could be of such nature that it allows the attacker to infiltrate as long as the site's online.

 

Step 6: Notify Your Hosting Provider That Your Drupal Site Has Been Hacked 

They should be informed about the breach and about your site being taken offline (if it's the case) immediately.

The sooner the better, this way they can:

 

  • start scanning their own systems for incursions
  • get ready to assist you with your site recovery and securing process

     

Step 7: Handle Client Data with Extra Precaution 

And these are the specific scenarios where you'll need to take extra precautions when handling client information:

 

  1. your Drupal site stores client information on the web host
  2. … it leverages the data POST method for sending form data via e-mail
  3. … it doesn't integrate with a 3rd party payment gateway, but manages the payment processes itself

     

If one of these 3 scenarios suits your case, then here are some of these extra precautions that you need to make to ensure the private user data doesn't get exposed:

 

  • update your SSL certificate
  • re-check all logfiles (have any of the hosted client information been copied, updated or downloaded?)
  • implement AVS (address verification system) 
  • add CVV (card verification value)
  • encrypt connections to back-end services used for sending confidential user data 

     

Step 8: Investigate the Attack: Identify the Source(s) of Infection

No matter how much pressure you might find yourself under to get your site back online ASAP, don't let take control over your site's restoring process!

Not until you've detected the main source of contamination on your site. The key vulnerability that attackers exploited, the key reason why your Drupal site has been hacked in the first place.

That being said, make sure that:

 

  1. you first audit, on a staging server, that “clean” backup of your site that you're planning to get online; this way, you track down and remove infected files, unauthorized settings, malicious code 
  2. you compare pre- and post-hack files, looking for any suspicious changes

     

Now if you have a clean (and recent) backup at hand for running this comparison, the problem's almost solved. Just use the right tools to compare your files and track down discrepancies.

But if you don't have a backup at hand, then there's no other way but to:

Manually inspect your files and databases to identify any suspicious changes that have been made.

  • look for any suspicious iframe or JavaScript at the end of the files (if detected, save the code in an external file)
  • look for any sources of “Drupal site hacked redirect”; for links to external URLs

     

Now, as for the places that you should be running your investigations on, let me give you just a few clues:

 

  • .php files, .html files 
  • sessions table 
  • newly modified/created files
  • new/updated user accounts 
  • in writable directories and database 

     

Step 9: Do a Full Restore of Your Site 

So, you've noticed that your Drupal site has been hacked, you've assessed all the damage caused, removed malware and even detected the vulnerability that hackers exploited to get in, not it's only but logical to:

Try to repair your website, right?

Word of caution: never ever run your changes on your production site; instead, fix all detected issues on a staging site. Also, once you've cleaned it all up, remember to run the latest Drupal security updates, as well!

Now, getting back to repairing your site, you have 2 options at hand:

 

  1. you either restore a clean backup, if you know the date and time that your Drupal site has been hacked and you're also 100% sure that none of the system components, other than Drupal, got contaminated
  2. or you rebuild your Drupal site 

     

The latter method is, undoubtedly more cumbersome, yet a lot more cautious. Go for it if:

 

  • you do not know the precise date and time when your site's got contaminated
  • you do not have a clean (and recent) backup available to restore
  • you've evaluated the damages as being already too widespread  

     

Step 10: Give Your Restored Site a Full Check Before Going Live 

Do remember to give your newly recovered site a final audit before getting it back up:

 

  • remove all malicious code detected
  • suspicious files
  • unauthorized settings

     

And, most of all:

Close all the backdoors!

 

Final Word 

A pretty long, complex and discouragingly tedious recovery process, don't you think? 

So, why wouldn't you avoid all these steps that you need to go through once your Drupal site has been hacked?

Why not avoid the risk of finding yourself forced to take your website offsite for... God knows how long, risking to impact your site's reputation and to drive away users/online customers?

Don't you find it wiser to:

 

  • be prepared instead?
  • opt for ongoing Drupal maintenance and support services?
  • make a habit of regularly backing up your website?
  • keep your system and software up to date (and to install all the recommended patches)?
  • stop underrating the security advisories that the Drupal team makes?

     
Development

We do Web development

Go to our Web development page!

Visit page!

Recommended Stories

Drupal Performance Optimization: 17 Drupal Caching Best Practices To Speed Up Your Page Load Time- Part 2
"How can I make my Drupal 8 website faster?" Are you still struggling with this? Still striving to figure out which are the best (and most straightforward) Drupal performance optimization techniques for your website? Well, here I am today with a handful of 9 more ways that you can speed up your Drupal site. In addition to the 8 ones that I covered in the first part of this post. And yes: it's another round of Drupal caching best practices that'll help you boost your page load time. So, let's dive right into it: Tip #9: Use the Dynamic Page Cache Module  ... to cache for both authenticated and anonymous users. Unlike the Internal Page Cache module, that I mentioned in Part 1, which only caches pages for anonymous users. Tip #10: Use Distributed Cache, A Highly Effective Drupal Performance Optimization Technique But how does it work, more precisely? Once you've installed a distributed cache, it'll store your database's cache tables (Drupal's "cache_" tables) either in: file or memory Tip #11: Enable Drupal Cache for Anonymous Users Another one of those quick, yet powerful Drupal performance tuning steps that you can take. Tip #12: Use Squid to Cache Images and Static Content on Your Website "How to optimize Drupal for better performance?" You could go for Squid, an open-source caching proxy server. Now, since Drupal's already famed for its particularly dynamic content, the only cases where Squid does make a great performance booster are those where you need to cache static content. Tip #13: Add a Front-End Cache (i.e.Varnish Cache) Here's another handy Drupal performance optimization method for you: Use Varnish Cache to reduce the load on your server. How does it do it? It stores the HTML response, so that next time that the same page is requested, it serves it from memory. The result? Bypassed PHP and web server and... improved page load time. Tip #14: Use the Advanced CSS/JS Aggregation Module to Improve the Front-End Performance of Your Website  Combining your assets together is one of the most straightforward and effective ways to address those Drupal performance issues on your website. From: file grouping to caching to compressing ... the AdvAgg module handles all the steps that you need to take to aggregate your CSS and JS files. Tip #15: Install Memcache to Reduce Your Database Load You know how you're often struggling with keeping your database load to a minimum by caching database objects in RAM? In this respect, Memcache makes a great Drupal 8 performance optimization technique. It helps you reduce that load on the database and boost your page loading time. How? By taking standard caches out of the database. And by caching the results of resource-intensive database operations... Tip #16: Use the Entity Cache Module to Cache... Entities   Another caching best practice to boost Drupal 8 with is installing the Entity Cache module.  And its name says it all: it helps you cache entities. Tip #17: Cache Views  Here's the situation: Page requests made by registered users on your website lead to loads of queries to your database. Which impact the page load time. Now, to query the database, views are being used. And this is where this views caching module comes in handy to... boost things in there.   The END! These are our 17 recommendations for you on the best Drupal performance optimization methods for boosting your page load time. Not thrilled about the idea of having to go through the... Memcache installation process or to configure Varnish for Drupal? Or to put your current projects on hold so that your team can set up a... distributed cache? Maybe you don't have a professional Drupal maintenance team that could handle all these caching settings? We're here to help! Just drop us a line and let's figure out which of these 17 techniques are best suited for your website and the specific performance issues that it's struggling with. Let's speed things up in there! Image by Izwar Muis from Pixabay   ... Read more
Silviu Serdaru / Jun 23'2020
Drupal Performance Optimization: 17 Drupal Caching Best Practices To Speed Up Your Page Load Time- Part 1
"Why is my Drupal site so slow?" "How do I speed up my Drupal website performance?" In other words, what Drupal performance optimization techniques should you use? Which is the: most budget-friendly quickest most straightforward most effective ... solution to those Drupal performance issues that are slowing down your website? Caching... And luckily, Drupal 8 (it is a Drupal 8 website that you have, isn't it?) "spoils" you with one of the most advanced caching systems out there. The trick is that you follow the Drupal caching best practices and use it to its full potential. Speaking of which, here's a list of 17 such best practices: * I'll be covering 8 of them in this post, leaving the 9 remaining ones for the next blog post. But First: What Is Caching? "What is the purpose of caching?" "How does caching improve performance?"  2 legitimate questions that you might be yourself right now. Let me start by defining the Drupal caching process: Once a user accesses a page on your website, content elements and web data from that specific page (images, HTML, CSS, etc.) get stored in an accessible space. When that user visits the same web page again, your website will serve him/her the cached version of the content.  That if you haven't updated it since his/her last visit, of course... And this translates into: reduced bandwidth faster page loads Tip #1: Use the Internal Page Cache Module to Cache Pages for Anonymous Users   Say you have an "Add to cart" functionality for anonymous users on your eCommerce website. You can use this module to cache precisely this functionality. A Drupal performance optimization tweak that'll take you less than a minute to set up. Tip #2: Go for the Best Suited Tools for Heavy Traffic Drupal Sites Say you have a fairly busy Drupal 8 website. You've turned on caching in your performance settings, but... you haven't noticed any significant impact on your site's loading speed. So, you need to bring in the heavy artillery. To use powerful caching tools designed for high traffic websites. Here are some of the best tools and optimization techniques to try: switch to a Drupal-specialized hosting provider like Pantheon or Acquia move your database to its own VM/container (that if you still have it running locally, on your Drupal web server) upgrade to PHP 7.1.0 Enable OPcache via php.ini.  Put a proxy (i.e. Nginx) in front of your server Tip #3: Enable Block Cache - A Quick and Easy Drupal Performance Optimization Solution How to increase Drupal 8 performance? You cache those blocks that don't get updated frequently (like from one user to another). Tip #4: Use Views Content Cache to Update Upon Content Changes Only How does this Drupal module help you optimize your website for better performance? It allows you to expire views caches every time you update or remove content. The great thing about this caching method is that you get to cache blocks that appear on thousands of pages. Tip #5: Use a Content Delivery Network By far the most powerful Drupal performance optimization solution for your website. Why? Here are the 2 strongest reasons why you'd want to use a CDN to cache the static content (files, CSS, images, JS, fonts...) on your website: you keep the network delay to a minimum since your CDN has endpoints across the globe you get a better page loading time: your CDN has a domain different from your website's, so web browsers load content requests to your domain in parallel with the content coming from the CDN Tip #6: Set a Far Future Expiration Date for Your Static Assets Set up a "Newer expire" policy for your static components (e.g. use a far future Expires header) Tip #7: Use Redis as a Drupal Performance Optimization Technique to Store Large Amounts of Data Data that wouldn't fit into your server. "But what is Redis?" you ask? An in-memory store optimized for high-performance. Tip #8: Set the Maximum Time that Your Pages Can Remain Cached Another one of the Drupal caching best practices is setting the maximum amount of time that browsers should keep your cached data. The END of Part 1! And these are but 8 Drupal performance optimization solutions focused on caching. I have a whole list of 17 tips ready to share with you... So, stay tuned for another round of simple and effective caching techniques that'll help you speed up your website... But what if you don't have the time or the people in your team that you could assign tasks like: enable a block cache set up Redis  install the... views_content_cache module ...?  What if you could have a dedicated Drupal maintenance team implement all these performance optimization techniques on your website for you? We're ready to help you speed things up on your website. Drop us a line and let's set up the best caching strategy for your Drupal website. Image by mohamed Hassan from Pixabay   ... Read more
Silviu Serdaru / Jun 19'2020
What Are Some Good Examples of Drupal Sites for Nonprofit Organizations? Top 10 Nonprofit Websites Built with Drupal
Feeling a bit... uninspired? Or maybe you just don't see why you should consider Drupal for your NGO website? What if you could have a look at the top 10 nonprofit websites built with Drupal? And we're talking here about some of the world's most influential charity and non-profit organizations. Here are the 2 main criteria that we've used for putting together this top:   to be straightforward and easy to navigate to be visually pleasing and engaging: a clean and simple design helps the NGO's message shine through   Are these your own requirements, as well, for your non-profit website? Then, get ready to find plenty of inspiration by scanning through these great examples of what other non-profits have managed to do with Drupal: 1. Equal Opportunity Community Initiative  Who is EOCI?  The organization defines its own mission so clearly on its website: “... to build a world where children have equal opportunities to reach their dreams.” And all their projects and initiatives converge to meet this goal: providing equal access to educational resources for all children. Equal opportunity to compete and to succeed. The website that we've built for this international profit (revamping an age-old site, with little traffic and low conversion rate) is still one of the projects in our portfolio that we're most proud of. What makes it a great nonprofit website?   it's visually engaging: it tells a compelling story through visuals it's well-organized and easy to navigate: Drupal 8 has made it easier for us to structure content and to put together an information architecture that's easy to step through it's fast: the better the user experience, the higher the chances that they should turn themselves into the future volunteers or donors supporting the EOCI's initiatives   “The site’s beautiful and performing exactly how we’d hoped it would. The company that manages our Google Ads has found that our conversions have increased...  A couple of our donors are thrilled with the website and have committed their support again. They’re happy to be on the partners' page with a fresh look and approach to the public.” (Sean Kelly, Executive Director, Equal Opportunity Community Initiative, Source: Clutch.co)  2. Rotary International, One of the Top 10 Nonprofit Websites Built with Drupal  Who hasn't heard of Rotary International? A global network of community volunteers (1.2 million leaders and problem-solvers) actively involved in a wide variety of campaigns:   kicking Polo out of Africa providing clean water growing local economies supporting education   Why did they go for Drupal? For 2 strong reasons:   it's flexible: there's a module for almost any feature, any functionality they needed to implement to their nonprofit website it's extensible: no matter how "ambitious" the organization's future causes and campaigns and expectations from their website might get, Drupal's built to scale up to their growing needs 3. Doctors Without Borders Probably one of the best examples of nonprofit websites built with Drupal is Doctors Without Borders (Médecins Sans Frontières). A Nobel Prize-awarded organization of volunteering doctors, nurses, other staff, and journalists. Their mission? Providing medical aid to people affected by pandemics, epidemics, natural disasters, or armed conflicts, no matter their sex, nationality, religion, or political affiliation. Why Drupal?   because it's a multisite network that this global NGO needed and Drupal's famed for its built-in multi-site support. because Drupal's robust enough to withstand massive amounts of traffic (it's the biggest NGO in the world), all while being a conveniently flexible content management solution. 4. Habitat for Humanity International (HFHI)   Another one of the top 10 nonprofit websites built with Drupal. HFHI is an international, Christian NGO with a clear mission: building and renovating houses for low-income people.  To carry out its mission, it brings together donors, volunteers, and members of the families in need, who're co-opted in the process of building/repairing their own houses. How come their website is built on Drupal 8?   Drupal 8 is mobile-ready right out of the box it's open-source, which translates into lower costs it's flexible enough to empower their team to create, update, publish, and manage content on the go it scales to meet all the organization's future needs it ships with outstanding multi-language support it's fast 5. World Vision International "What are the most popular nonprofit websites that run in Drupal?" World Vision International's website is listed in any "top 5". No wonder:   the organization is the world's largest international children charity their website taps into Drupal 8's best features: easy third-party integration, freedom of customization, flexibility, and scalability guaranteed by its rich module collection   A nonprofit multisite that tells a series of highly compelling stories and grants a simplified donation process. 6. Human Rights Watch   A worldwide known independent organization, headquartered in New York, dedicated to protecting human rights.  And they define their own cause better than anyone else: "... we give voice to the oppressed and hold oppressors accountable for their crimes.”  Why did one of the most powerful NGOs in the world opt for Drupal?   because it's the best option for multilingual websites because it makes it easy to keep consistency while "joggling with" multiple content types  because it empowers content authors and editors to publish content quick and easy 7. Save the Children Spain   A member of the Save the Children International — the world's leading NGO dedicated to protecting and improving children's lives — Save the Children Spain has its website running on Drupal 8. And it is, by far, one of the 10 best nonprofit websites out there. Not just due to the global reputation of this humanitarian organization, but thanks to the complex needs that the Drupal website manages to meet:   it handles an entire network of operations that are critical for the NGO's activities: donations, news publishing, crowd fundings, training, collecting signatures, communicating with the press, etc. it withstands large influxes of traffic it supports a multi-site infrastructure it makes it easy for multiple teams (see Drupal's granular permission and access control system) to operate on the website, to integrate the tools they need for doing their work it integrates easily with all kinds of e-commerce third-party platforms (needed for their donation process, signature, membership, etc.) 8. Great Ormond Street Hospital Children's Charity   One of the UK's largest charities, Great Ormond Street Hospital Children's Charity (GOSH ) is dedicated to supporting the Bloomsbury-based children hospital and its patients. How? By focusing their efforts in 4 major areas:   supporting the little patients and their families investing in rebuilding and renovation projects pioneering research into children's health investing in life-saving medical equipment   When did Drupal come into the picture?  When the charity looked for a platform that would provide them with:   scalable architecture for their website, robust enough to scale up and down, to their fluctuating levels of traffic multi-site support, out of the box: GOSH.org is made out of 2 large websites and an ecosystem of 10 different sub-sites easy third-party integration: they needed to keep the same staff, so they looked to streamline their team's work, by integrating time-saving tools  9. The Wildlife Trusts We couldn't have left the Wildlife Trusts website out of our list Drupal nonprofit organization websites that stand out. The UK-wide group, comprising 45 local Wildlife Trusts, shares a common interest in preserving the wildlife and the biodiversity in their local area. And we're here talking about 2,300 nature reserves, on 98,000 hectares. 46 different independent charities, each with its specific activities, constitution, and membership criteria, under one “umbrella”? This multi-site project had “Drupal” written all over it... Now, let me outline, briefly, the key reasons why Wildlife Trusts has chosen Drupal for its website:   it provides great multi-site capabilities: the organization wanted to empower each trust to control its own content creation and publishing process, but they still needed some sort of a “central hub” it provides outstanding content management capabilities, much needed in this case, where huge volumes of content had to be managed effectively it meets their need of delivering the best mobile user experience it empowers the Wildlife Trusts editors to tailor page layouts as needed: and we're talking here about a multi-site that's rich in stunning visuals and video content 10. Top 10 Nonprofit Websites Built with Drupal: Allard Prize for International Integrity Another project from our portfolio that we're particularly proud of. The Allard Prize for International Integritiy is a photography competition that recognizes and awards people and organisations standing out through their efforts in fighting corruption and defending human rights. Why did they go with Drupal?   because they wanted to give their website a performance boost because Drupal provides them with a reliable translation system, a crucial feature when dealing with a global audience In Short, Why Would You Choose Drupal for Your Nonprofit Website? Here's a short inventory of the main reasons why you'd choose Drupal for setting up your nonprofit website:   you save money (Drupal's open-source) you get your multi-site, multi-language website ready to go in no time (especially if you opt for a Drupal distribution) you're free to further extend your website's capabilities by adding new modules and integrating new third-party apps  you get robust SEO features right out of the box you get a website that scales to fluctuating levels of traffic  you get to categorize, neatly structure, create, edit, publish, and manage your content quick and easy you're free to customize your page layouts to your liking   Need help setting everything up? Just send us a message with your feature requirements and specific expectations from your future nonprofit website and let's get your message out there. ... Read more
Adriana Cacoveanu / Jun 05'2020