I work for a charity and look after our website built on Drupal 7. I missed the recent March alert and didn’t update in time, and about 3 weeks ago we were hacked. Some (not all) users get redirected to a malware site.
Sadly our daily backups are only stored for a week (I didn’t realise the host only stored a week) so I didn’t have a clean backup to go back to. Lesson to myself is download them to my PC on a regular basis.
I went through the site and removed multiple index.php files and another other file that I did not recongise and thought I had cleaned it all up and updated, but what happen is they must have a backdoor because each night the index.php files are put back. I now have a clean backup which I restore each morning and the website is fine until midnight’ish when the backdoor is used.
I can’t find the backdoor. I have done a fresh install of Drupal (7.5.9) and all module files, I have used a very old theme backup which should be clean but they still get back in. I am the only user on the website, the passwords for that account, database, FTP and even server have all been changed.
So I can only assume the backdoor is in the database? Is that likely to be the case or could it still be a file I am missing? If the database, I know how to use phpmyadmin and run SQL commands, but I am not technical enough to know how to find a recent database change or where the issue may be. Does anybody have any advice to clean up the existing site?
We were already building a new website and rewriting all text as it goes on a new server, so we can wipe everything and start again but that is still 2/3 weeks down the line. So I just need to do what I can to keep our existing site up for another couple of weeks.
Any helpful suggestions would be very much welcomed. Thank you.