tags:

views:

38

answers:

1
Q: 

Help with potential trojan passed through site

So I'm pretty sure my site's been infected with some kind of trojan or virus that attached itself to the scripting within the site. Every time I try and update my Drupal-based site, I get a white screen with this stupid "i'mhere" message. Upon reload, the changes will take affect but I don't know what this is doing once changes are saved. This only pops up while adminstering the site, I.E. posting new content, activating/deactivating modules etc.

Problem is, I haven't the faintest idea how or where to go to remove this. The source code doesn't make reference to any malicious code. It isn't the iFrame link kind of trojan that I've seen brought up through trying to find an answer to this problem.

Things I've tried:

-Scanned computer multiple times for virus (supposedly these things attack insecure FTP data & hijack your client to upload malicious code)

-Changed FTP credentials

-Changed admin user passwords to the backend of the site (Drupal login)

-Updated Drupal

Nothing's worked so far and I'm at my wit's end trying to figure this out. Any tips in the right direction would be greatly appreciated.

A: 

Assuming the problem is really Drupal, first check to see if there's some code in a module somewhere firing during a form submit. If you have shell access and it's a Unix/Linux/etc.-based server, navigate to the Drupal directory and run:

grep -r "i\'mhere" *

This will tell you if it exists in code and what file contains it. If it's a module (likely), disable it and either see if there's an update or modify it yourself.

If it's not in code, check your database. Create a dump of your database, and run:

cat databasedump.sql | grep "i\'mhere"

Where databasedump.sql is the name of the database dump you just created. This should at least give you a general idea of what table the data exists in. Then, you can decide how you want to proceed: restore from a previous backup, delete the offending data, etc.

If it's not in either, it might be local. Check with others to see if it's occurring for them.

If it's not local, you've got something really nasty and hopefully someone else has some other ideas on what you can check. :)

Mark Trapp  2010-07-27 01:49:49
Mark - Thanks for the suggestions; much appreciated.I've switched back and forth between an older database and the one I have now and the problems only occur with the new database. So I've got that down, at least.The problem has been pinpointing this code. Nothing is popping up with either query in regards to the "i'mhere" message.Is it being masked somehow? Might there be some other way of finding it? I'd really prefer not having to start from scratch with the old database; plus I'm afraid the problem will just pop back up again.
Blair MacGregor  2010-07-27 21:35:12
If it's obfuscated, you got me as to how to precede other than a rollback: there's an infinite number of ways to obfuscate text. If you can, I'd at least set up a mirror of the site from an earlier state to see if it really is Drupal causing the issue. It might save you at least some heartache if the problem occurs even in earlier states of the site: it would indicate the problem isn't with Drupal, but somewhere else. If you do this, you're going to want to restore both the DB and the code. Using an earlier backup of the DB won't discount issues with obfuscated code somewhere.
Mark Trapp  2010-07-27 22:23:17

related questions

Batch node operations in Drupal 5
How do you make php's json_decode compatible with firefox's javascript?
Drupal CSS URL Problem
Is it possible to deploy an already built Drupal site?
php Access violation
Creating an online catalogue using Drupal, what are the best modules/techniques?
How do I upgrade from Drupal 5 to 6?
How does AOP work in Drupal?
Any quirks I should be aware of in Drupal's XML-RPC and BlogAPI implementations?
What is the simplest way to handle images in Drupal?
How can I change some of Drupal's default menu strings without hacking the core files or using the String Override plugin?
Why is my Drupal site logging out users when a Javascript function is called?
How do I add a "last" class on the last <li> within a Views-generated list?
How do I determine if I should install Drupal 5.x or 6.x?
Missing label on Drupal 5 CCK single on/off checkbox
learning drupal fast track: how to create a stackoverflow clone?
How do you remove the default title and body fields in a CCK generated Drupal content-type?
How do I create a node from a cron job in drupal?
How to quickly theme a view?
Where is the best place to get Drupal & Sugar CRM developers?
How to get rid of Javascript Runtime Errors when running PDT + XDebug in Eclipse?
What makes Drupal better/different from Joomla
Include CSS or Javascript file for specific node in Drupal 6
What version of TinyMCE will work in Drupal 5 with google chrome?
How can I change the way my Drupal theme displays the front page