Being one of the prominent choices for a content management system (CMS) platform, both small and big organizations that use the Drupal platform are equally vulnerable to the security issues that pop up now and then, warranting immediate action by developers as well. Everyone talks about being hacked, what to do for it to not happen, what to do after it happens, and everything in between these, but what indicates a hacked Drupal site is rarely talked about.
How to fix a hacked Drupal Site – https://www.getastra.com/blog/911/drupal-hacked/
Since this may not appear as an obvious sign or indication, site owners often have to look for underlying symptoms and signs that provide proof to the hypothesis.
Here are some of the signs you can look out for:
- Unable to log in using old login credentials
If you log in to your Drupal site one fine morning and find that you’re unable to enter with what you are pretty sure are your login credentials, unless a co-owner of the site pranked you, there is a significant possibility that you’ve been hacked. Hackers will often resort to such tactics to keep you away from your site while they manipulate the content or insert malicious content.
- Verify the new users created
After logging into your Drupal administrator account, if you find out that new users have been created, you need to first remember if you’ve set up permissions for anonymous registrations or not. If the website wasn’t set up to accept such registrations, then this is a vital sign of being hacked as hackers often prefer providing themselves user accounts with explicit administrative powers to misuse it as much as possible.
To check if your Drupal site is hacked or not – https://www.getastra.com/website-scanner
If you have provided an outlet for anonymous registrations on the site, you still need to verify the new users that have been created, whether they are old or new, verified or suspicious, and if they have been assigned the administrator role. Check out any new roles that you’ve not personally created, and analyze if any old user’s accounts have been compromised due to any vulnerability on their side.
It’s not always this easy, but sometimes the new roles are simply named ‘hacker’, ‘config’, or ‘admin’ or something as random as a string of characters.
- Your site is defaced
This one should also be a fairly obvious sign of a hacking attempt – because your content isn’t where it should be, and the installation has been tampered with. Something could be removed, or unwanted content is added to the pages, malicious code, images, or pop-up ads that are splattered all over the site and/or tampered with. It might also be a simple page that shows a splash of a message by the hacker indicating the site is compromised.
- Check your Drupal installation files
When browsing through the installation files, if you run across files present in the Drupal root or subdirectories that have not been placed there by you, this is also a strong symbol that your site has been compromised. Some of the common names that may be adapted by hackers and leave the owners confused upon first glance include ‘index2.php’, ‘1ndex.php’, etc. Other files include ‘payload.php’ which can be more dangerous and an addition to the possibility of a hack.
If such files are found, immediately check all installation files and subdirectories because it is very possible that the hackers have left some sort of ‘backdoor’ option to make it easy for them to enter again and insert malicious content ro compromise the data as and when they please – therefore, simply deleting newly modified or infected files is not a permanent solution.
- Nothing’s visible on the site
Usually, this happens with a display of a colored screen (white, red, black, etc), but it will make your site inaccessible to anyone and you’re not able to see any of the content either. Ruling out the possibility of malfunctioning due to technical reasons (overloaded or a simple error), can be taken as a sign that the site has been hacked. Another symptom shows the site to be loading something, but nothing reaches completion and it seems never-ending.
- Not able to access your control panel
This can be a dangerous loophole since it’s possible that the hacker has escalated the privileges gained from the server to cement their access to the cPanel/SSH, or even the web hosting control panel (it makes it easier for them, and difficult for you, if you sue the same password for accessing your accounts or an insecure ‘1234’ one).
A lot of other indications apart from this can be visible such as suspicious slowness in loading, redirecting to other sites filled with spam words and infected external links, or any visible changes to the server configuration, among others. It is important to quickly recognize the compromising of the site before you can move forward with the steps for resolution.