Drupal EngineHack Detection Website

Oh Dear monitors your entire site, not just the homepage. We crawl and search for broken pages and mixed content, send alerts when your site is down and notify you on expiring SSL certificates.

Start your free 10 day trial! »

Profile image of Mattias Geniar

Mattias Geniar, April 27, 2015

Follow me on Twitter as @mattiasgeniar

A while ago, I found several Drupal websites that have been compromised by the same sneaky malware. Since then I’ve encountered dozens more with the same symptoms. To facilitate detection and raise awareness, I’ve created a simple check-website that can scan your Drupal installation.

Drupal EngineHack

The hack was originally discussed here: Drupal engine_ssid_ And engine_ssl_ cookies: You’ve Been Hacked.

Since then, at seemingly random intervals, I’ve encountered more and more of these kind of hacked sites.

Update: the check-site is now offline.

So to make it easier for me and my colleagues to detect these hacks, I’ve put together a simple website that can check your own site: enginehack.ma.ttias.be.

drupal_enginehack

It doesn’t have a fancy name and it lacks a logo, but I consider it a large-scale compromise of Drupal systems. It may even be huge, just not well known.

Because the hack doesn’t immediately stand out – the site continues to work without issues – there are probably many Drupal installations that have been hacked for months, where the site admin hasn’t even noticed.

Scan result

Please use the scan on the website and share it with everyone who uses Drupal. I’m hoping every gets to see an “OK” message like this one.

drupal_enginehack_ok

If you’re unlucky, you’ll see this kind of message:

drupal_enginehack_problem

The confirmation page will list resources to help you deal with the hack, how to cleanup and how to get prevent a similar attack from happening.

Open Source: contributions!

If you spot any errors or have better methods for detecting the hack, the project is entirely open source and you can contribute on Github:

github.com/mattiasgeniar/drupal-enginehack-detector.

Project URL: enginehack.ma.ttias.be.

Good luck!



Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.