Drupal EngineHack Detection Website

Mattias Geniar, Monday, April 27, 2015

A while ago, I found several Drupal websites that have been compromised by the same sneaky malware. Since then I've encountered dozens more with the same symptoms. To facilitate detection and raise awareness, I've created a simple check-website that can scan your Drupal installation.

Drupal EngineHack

The hack was originally discussed here: Drupal engine_ssid_ And engine_ssl_ cookies: You’ve Been Hacked.

Since then, at seemingly random intervals, I've encountered more and more of these kind of hacked sites.

So to make it easier for me and my colleagues to detect these hacks, I've put together a simple website that can check your own site: enginehack.ma.ttias.be.

drupal_enginehack

It doesn't have a fancy name and it lacks a logo, but I consider it a large-scale compromise of Drupal systems. It may even be huge, just not well known.

Because the hack doesn't immediately stand out -- the site continues to work without issues -- there are probably many Drupal installations that have been hacked for months, where the site admin hasn't even noticed.

Scan result

Please use the scan on the website and share it with everyone who uses Drupal. I'm hoping every gets to see an "OK" message like this one.

drupal_enginehack_ok

If you're unlucky, you'll see this kind of message:

drupal_enginehack_problem

The confirmation page will list resources to help you deal with the hack, how to cleanup and how to get prevent a similar attack from happening.

Open Source: contributions!

If you spot any errors or have better methods for detecting the hack, the project is entirely open source and you can contribute on Github:
github.com/mattiasgeniar/drupal-enginehack-detector.

Project URL: enginehack.ma.ttias.be.

Good luck!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links