views:

38

answers:

1

So I'm pretty sure my site's been infected with some kind of trojan or virus that attached itself to the scripting within the site. Every time I try and update my Drupal-based site, I get a white screen with this stupid "i'mhere" message. Upon reload, the changes will take affect but I don't know what this is doing once changes are saved. This only pops up while adminstering the site, I.E. posting new content, activating/deactivating modules etc.

Problem is, I haven't the faintest idea how or where to go to remove this. The source code doesn't make reference to any malicious code. It isn't the iFrame link kind of trojan that I've seen brought up through trying to find an answer to this problem.

Things I've tried:

-Scanned computer multiple times for virus (supposedly these things attack insecure FTP data & hijack your client to upload malicious code)

-Changed FTP credentials

-Changed admin user passwords to the backend of the site (Drupal login)

-Updated Drupal

Nothing's worked so far and I'm at my wit's end trying to figure this out. Any tips in the right direction would be greatly appreciated.

A: 

Assuming the problem is really Drupal, first check to see if there's some code in a module somewhere firing during a form submit. If you have shell access and it's a Unix/Linux/etc.-based server, navigate to the Drupal directory and run:

grep -r "i\'mhere" *

This will tell you if it exists in code and what file contains it. If it's a module (likely), disable it and either see if there's an update or modify it yourself.

If it's not in code, check your database. Create a dump of your database, and run:

cat databasedump.sql | grep "i\'mhere"

Where databasedump.sql is the name of the database dump you just created. This should at least give you a general idea of what table the data exists in. Then, you can decide how you want to proceed: restore from a previous backup, delete the offending data, etc.

If it's not in either, it might be local. Check with others to see if it's occurring for them.

If it's not local, you've got something really nasty and hopefully someone else has some other ideas on what you can check. :)

Mark Trapp
Mark - Thanks for the suggestions; much appreciated.I've switched back and forth between an older database and the one I have now and the problems only occur with the new database. So I've got that down, at least.The problem has been pinpointing this code. Nothing is popping up with either query in regards to the "i'mhere" message.Is it being masked somehow? Might there be some other way of finding it? I'd really prefer not having to start from scratch with the old database; plus I'm afraid the problem will just pop back up again.
Blair MacGregor
If it's obfuscated, you got me as to how to precede other than a rollback: there's an infinite number of ways to obfuscate text. If you can, I'd at least set up a mirror of the site from an earlier state to see if it really is Drupal causing the issue. It might save you at least some heartache if the problem occurs even in earlier states of the site: it would indicate the problem isn't with Drupal, but somewhere else. If you do this, you're going to want to restore both the DB and the code. Using an earlier backup of the DB won't discount issues with obfuscated code somewhere.
Mark Trapp

related questions