Drupal EngineHack Detection Website

Mattias Geniar, Monday, April 27, 2015

A while ago, I found several Drupal websites that have been compromised by the same sneaky malware. Since then I've encountered dozens more with the same symptoms. To facilitate detection and raise awareness, I've created a simple check-website that can scan your Drupal installation.

Drupal EngineHack

The hack was originally discussed here: Drupal engine_ssid_ And engine_ssl_ cookies: You’ve Been Hacked.

Since then, at seemingly random intervals, I've encountered more and more of these kind of hacked sites.

So to make it easier for me and my colleagues to detect these hacks, I've put together a simple website that can check your own site: enginehack.ma.ttias.be.


It doesn't have a fancy name and it lacks a logo, but I consider it a large-scale compromise of Drupal systems. It may even be huge, just not well known.

Because the hack doesn't immediately stand out -- the site continues to work without issues -- there are probably many Drupal installations that have been hacked for months, where the site admin hasn't even noticed.

Scan result

Please use the scan on the website and share it with everyone who uses Drupal. I'm hoping every gets to see an "OK" message like this one.


If you're unlucky, you'll see this kind of message:


The confirmation page will list resources to help you deal with the hack, how to cleanup and how to get prevent a similar attack from happening.

Open Source: contributions!

If you spot any errors or have better methods for detecting the hack, the project is entirely open source and you can contribute on Github:

Project URL: enginehack.ma.ttias.be.

Good luck!

Hi! My name is Mattias Geniar. 👋 I'm an independent software developer ⌨️ & Linux sysadmin 👨‍💻, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear! Follow me on Twitter as @mattiasgeniar 🐦.

🔥 If you're stuck with a technical problem, I'm available for hire to help you fix it!

Share this post

Did you like this post? Help me share it on social media! Thanks. 🤗

Have feedback?

New comments have been disabled on this blog, existing comments will remain as-is. Want to give feedback? Is there a mistake in the post?

Send me a tweet on @mattiasgeniar!