A while ago, I found several Drupal websites that have been compromised by the same sneaky malware. Since then I’ve encountered dozens more with the same symptoms. To facilitate detection and raise awareness, I’ve created a simple check-website that can scan your Drupal installation.

Drupal EngineHack

The hack was originally discussed here: Drupal engine_ssid_ And engine_ssl_ cookies: You’ve Been Hacked.

Since then, at seemingly random intervals, I’ve encountered more and more of these kind of hacked sites.

Making dinner reservation, noticing their Drupal was hacked. First time I used a restaurant contact form for that. https://t.co/1Lm62d4FUc — ma.ttias.be (@mattiasgeniar) April 25, 2015

Update: the check-site is now offline.

So to make it easier for me and my colleagues to detect these hacks, I’ve put together a simple website that can check your own site: enginehack.ma.ttias.be .

It doesn’t have a fancy name and it lacks a logo, but I consider it a large-scale compromise of Drupal systems. It may even be huge, just not well known.

Because the hack doesn’t immediately stand out – the site continues to work without issues – there are probably many Drupal installations that have been hacked for months, where the site admin hasn’t even noticed.

Scan result

Please use the scan on the website and share it with everyone who uses Drupal. I’m hoping every gets to see an “OK” message like this one.

If you’re unlucky, you’ll see this kind of message:

The confirmation page will list resources to help you deal with the hack, how to cleanup and how to get prevent a similar attack from happening.

Open Source: contributions!

If you spot any errors or have better methods for detecting the hack, the project is entirely open source and you can contribute on Github:

github.com/mattiasgeniar/drupal-enginehack-detector.

Project URL: enginehack.ma.ttias.be .

Good luck!