Getting hacked, and how to fix it

Back in 2010, a couple of my buddies and I started a website where we could review, preview, and just write down our thoughts about video games. A year before that, I learned of the Content Management System Drupal, which is open source, and has a pretty good community behind it. became my focus for the next few months. About six months later, I decided to upgrade the site from what was in style then, Drupal 6, to what was the future, Drupal 7. 


Not only did I focus on writing content, but I also wanted it to be easy for my non-coder friends to easily put up articles. Drupal 7’s more advanced modules allowed for better support for image manipulation, SEO tools, and for content publishing.


In terms of image manipulation, I had it set up so that the author of the content would simply upload one hi-res image, and then the CMS would take care of creating copies for the different areas where the image  would show up like the main slider on the homage, the article image, and article list icons. It would also crop them as necessary, and even add a watermark without anyone needing to take time away from writing to handle these mundane tasks.


For SEO, the author would write down a few keywords, but besides that, the system had some auto keywords that it would always use, and it would take the title of the post and use it as the page title. It would also take the preview blurb and use that as the page description. 


In short, our CMS was pretty advanced, but it was dependent on not only core Drupal, but upon a huge variety of modules, some of which depended upon other modules to work correctly. Because of work and a shift in projects, my buddies and I eventually stopped writing as much as we wanted to, and so the site was no longer used. That lead to the site not being updated either, which in turn lead to the site getting hacked.



How to fix it

A few weeks ago, Google contacted me with an email saying that the site had been hacked and that they would put up that red screen upon landing on it. As of last week, I was able to fix the site, and Google is continuing to display the site normally on search results. Here’s how you can do that if you’re on the same boat.


Keep your site updated

What’s that thing doctors say? “An ounce of prevention is worth a pound of cure.” No matter the CMS you use, keep your site up-to-date. If your CMS uses PHP, some PHP standards will change, and security is often one of those updates. Modules are then updated to be more secure, or they are updated to fix previous bugs or exploits that hackers could have previously used. With Drupal, you can simply log in to your site and head over to Administration > Reports. That will let you see if Drupal Core is up-to-date. If you scroll down, you’ll also see if you need to update your modules. 



Updating your modules is pretty easy. Just click the “available updates” link and download the new ones. Simply click the checkboxes for each module, and then click the Download button. You’ll follow a few steps, where you verify options, and you’ll be done! Updating Drupal Core is a bit more time-consuming, but if you take a few minutes during an evening, you should be able to do it without any problems. 


register_globals = off

An additional step that I had to take this last time that I updated my version of Drupal was to add the register_globals = off line to the php.ini file. You should be able to search for that, and uncomment it so that it will work. Next, you’ll need to add something similar to your main .htaccess file. Simply add this anywhere to that file:


<IfModule mod_php5.c>
  php_flag register_globals     off


Apparently, this is a huge PHP security feature that has been removed as of PHP5.4.0:


Everything else

Now that everything else is up-to-date, you should take some time to look through your server for any files that you don’t recommend. I found a few files that I didn’t recognize, and so I simply removed them. If you’re not sure, you can also take a look at the timestamps on those files to see if they match your last login date. 


Next, you might want to take a look at the code on some files on your site. For example, if there’s an index.php file and any files in your includes folder. Look for any iframe code, or even PHP inject code.

Pleading with Google


After that, you’ll need to log back in to your Google Webmaster Tools account, click the message that talks about the hacking, and click the button to “Request a review in Security Issues.” Personally, I wrote two small paragraphs explaining the steps that I took to resolve the hacking, and included a few screenshots of what my Drupal site’s Status page looks like now. I explained what version of Drupal I was using, and which one I’m using now. It says that it can take a few weeks for them to review the site, but in my case, it took around three days for the issue to be resolved. 


While inconvenient and scary-sounding, bringing your site back up to graces with Google isn’t too bad. 


Top image credit: Flikr