Site hacked, need help to look for clues about how it happened

Question

i recognized a successful hacking attempt where someone managed somehow to modify a file under my drupal installation and to inject javascript code

the file that was hacked was :jquery-1.9.1.min.js which is a general javascript library file that i downloaded earlier (clean with no hacking code)

i cleaned the file now but i want to know how the person got in?

and also another very strange thing , the last modified date of the file was intact since years even though the code was added to the file recently, can someone hack the site then change the last modified date as well to cover their tracks?

My question in simple words, where do i start looking to find clues to find the security hole?

Answer 1

My best guess would be through a vulnerable Drupal version or a vulnerable plugin / own code.

• If it's your own server, take it off the network to prevent any further harm.

• If it's not your own server but a shared hosting, the problem may or may not be limited to your own account. Contact the service provider to acknowledge them to check whether it's a wider problem.

  1. Change your password just in case. See that there's no added SSH public keys.
  2. Restore your site from a backup that didn't have this problem. This may not be the only modification the attacker has made, but there might be some back doors installed, too.
  3. Update Drupal and all its plugins. Also a good point to remove unnecessary plugins.

• Check your logs for any anomalies. It may help limit the problem to a certain plugin / page.

• After putting the restored & upgraded site online, check regularly that the file won't reappear.

The timestamp of a file isn't necessary the time it has written to this server. Depending on how the file was uploaded it may have preserved the original timestamp, which may have manually modified before the upload in order to make it harder to find among all the files.