: URL hijacked for spam I'm the Webmaster and administrator for a site, built on Drupal 7. I've updated Drupal to the latest version. My issue is that it seems as if someone or somebot is using

@Shanna517

Analyzing this remotely is almost impossible, but here’s my guess:


You did not patch/update your Drupal installation quickly after the security advisory SA-CORE-2014-005 was published. This was a highly critical vulnerability, referred to as "Drupageddon".
An attacker exploited the vulnerability and got access to your installation.
The attacker created various spam pages which got indexed by Google (these appear empty and send 404 when visited directly, but you get redirected to an external site when your Referer indicates you’re coming from Google).


Of course an attacker might have done much more damage than just creating these spam pages (creating/changing admin accounts, infecting files you offer for download with viruses, accessing protected content, downloading email addresses of all registered users, etc.).

Recovering from Drupageddon is hard, as an attacker could have placed malicous code in your database which gets executed by Drupal even if you have removed any manipulated files, infecting your installation again. If possible, you should probably use a backup from before 2014-10-15.

Answers on Drupal SA-CORE-2014-005 - How to tell if my server / sites were compromised? have some tips.

Vote Up Vote Down

@Sherry384

Yep! You were hacked. You have been hacked for a period of time too.

Not to panic! It happens enough and can potentially be a low-level breach that can be fixed with not too much worry.

HTTPS vs. HTTP is another protocol and not another site. Theoretically, these should be the same site served as either HTTP protocol port 80 or secured/encrypted HTTP (HTTPS) protocol port 443.

So your cic.nyu.edu (IP address: 128.122.215.41) has been compromised. You want to get a network administrator immediately or at least experienced help immediately. You need to ensure that you are running an up to date anti-virus, I use ClamAV for Linux, and that you scan the entire set of hard drives including rootkit and other options to fully ensure that it is virus free. Then you want to close off all avenues of entry by updating all software including and especially web based applications. Next, you have to find where and how the various pages live and remove them. Much of this will take detective work. You can take notes on what applications exist on your server including web applications and the version numbers of each and search for vulnerabilities using the NVD database found here: web.nvd.nist.gov/view/vuln/search?execution=e2s1 This should help you to understand how the hackers got into your system.

It is also important to check all user accounts for your system including any web based accounts. Check for unknown accounts and terminate or suspend them if you are not sure. As well, update the passwords of all remaining accounts with strong passwords that are new and unique.

It is important to know that likely your domain name/IP address has been black-listed as being compromised. If not, then you are lucky. You can check the status here: mxtoolbox.com/blacklists.aspx You will need to enter both the domain name and IP address to be sure. Follow any directions provided for removal. You may have to go to the blacklist site to know what that is. The system admin will understand this if you don't.

For the future, if you are not using HTTPS, then you want to redirect all HTTPS requests to HTTP (assuming Apache) using the apache2.conf or .htaccess files. It may help to close off IP/port 128.122.215.41:443 at the firewall. Any network admin should be thrilled you asked and may require being picked up off of the floor before complying. Make sure you have smelling salts handy.

Vote Up Vote Down