Common Hack Symptoms to Check If Your Drupal is Hacked

Being a popular CMS platform, it is not uncommon for Drupal platforms to be hacked in varying intensities, as new threats arise every day. Be it small or big organizations, everyone who uses this prominent CMS platform choice is equally vulnerable to any security issues that are found. Identifying the indicators of a hacked Drupal platform is the first step to resolving the issues and then apply the Drupal Firewall for the same. 

  1. Unable to login using old credentials

This is a simple way of understanding if something has gone wrong since if you aren’t able to login using credentials unless someone verified has changed it, this is an issue. Often, hackers choose to change the username and password as quickly as possible so that they can stop you from accessing the site while they manipulate the existing content or insert malicious code.

  1. Are there new users on admin?

On your Drupal administrative account, you can see that there are new users created, unverified from your side, and not linked to any other known accounts. If you’ve set your site up with the provision of setting up anonymous registrations, then this may not be an uncommon or problematic event. 

However, if your Drupal platform isn’t set up for accepting anonymous registrations, this is the most important sign of your site being hacked. Hackers need user accounts in this situation to provide themselves with administrative powers for manipulating the date and configuration settings for maximum access. 

Even with anonymous registrations, all new users must be vetted and verified, be it old or new, suspicious or trusted, especially if they are given the power of administrative access. Pay special attention to new roles that you haven’t personally provided or created and try to pinpoint if any old user accounts have been compromised due to any unseen vulnerability, and then misused by hackers to enter into the site illegally. 

Sometimes, these accounts are named as ‘config’ or ‘admin’ or a random string of characters, so make sure to verify these.

  1. Check the Drupal installation files

This implies that there are suspicious files present when looking through the Drupal installation files under the Drupal root or subdirectories and if they haven’t been placed there by you. Hackers may take up names like ‘index2.php’ or ‘1ndex.php’ that look complicated at first sight. If files with such names are found, immediately verify all the files under installation and subdirectories because there is a possibility that hackers could place backdoors or loopholes so that they can enter again even if their previous mode of entry has been shut down. 

Therefore, simply deleting or modifying any files is not a permanent solution to compromised security. 

  1. Your site looks visually compromised

Your site may look defaced with multiple pop-up ads or external links that redirect to suspicious sites, spammy keywords, etc, or the website could simply have a colored screen (white, red, or black). The installations could be tampered with since hackers could remove something or malicious code should be added, and hackers could leave obvious messages on the site indicating it is been hacked. 

Your site will be inaccessible to everyone and the content will not be visible to your site’s visitors. 

There are also malicious redirects which come from the hacker modifying the site content to install malware so that visitors are pushed onto spammy and questionable links (there are a couple of redirects 301 which is permanent indicating a shift to a new location, 303 provides a temporary page that could be on a different address, 307 which is a lesser-used option but still noteworthy). Once you can make sure that this isn’t a technical malfunctioning or any simple errors, it can be understood that the site is compromised. 

  1. You’re not able to access the control panel

Once the hacker has compromised the Drupal site, they will escalate the privileges they have illegally gained from the server to permanently set their access to the cPanel or the SSH, which is their crucial point to manipulate and misuse the content further. They could also ensure that they’re well connected, through backdoors and loopholes, to the web hosting control panel which makes it easier for them to keep controlling your site for their purposes, and more difficult for you to clean their impact. 

Other suspicious activities indicating a compromised Drupal site could be the slowness of the loading servers, external links that push the site’s visitor to problematic or infectious sites filled with spammy keywords, extensive changes to the configuration files of the server, etc. Making a list of these while accounting for other issues your site could specifically encounter, will help you secure your Drupal platform from hackers in the future along with other measures to increase the security levels of the entire platform such as multi-factor authentication, etc.

Reference: https://www.getastra.com/blog/drupal-security/drupal-security-guide/