My Drupal 7.28 site has been hacked through the the tmp dir which was not protec

Question

My Drupal 7.28 site has been hacked through the the tmp dir which was not protected by .htaccess file. The hacker managed to delete the main .htaccess file and upload some bogus google docs 2014 directory with php files to the site. After some work I managed to fix the site by getting rid of the offending php files and replacing the .htaccess files. Everything is fine now except that he/she managed to create a phishing form called gmail_webmail.html which originally comes with Google docs. This form which was originally a file he uploaded and I deleted is still viewable on my site. I don't know how he did it. There is no html file called gmail_webmail.html in the root Drupal directory yet when I go to www.mysite/gmail_webmail.html I get this form which Norton blocks right away. Google also warned me of the existence of this form. It is not a module as far as I can tell. Can anyone help? Thank you in advance.

Explanation / Answer

If you have backups of your site, I would remove all of your files and start again from a known good backup. I would imagine there is a tiny bit of code somewhere redirecting to this bad page, probably buried in a comment or obfuscated to look harmless.

Change the passwords to all of your admin areas, webmail consoles, SSH, ftp access etc.

It might also help to google the first line of whatever file is being displayed, as this may show you similar sites which have been hacked or blogs which give you a bit more info on how it maintains persistence.

Related Questions

Navigate

• Browse (All)
• Browse M
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.