First thing is to figure out how they got those files on there. It could have happened through a Drupal security hole (especially since you are running such an outdated version), but more than not this happens through someone gaining shell access. If you still got the files on the server, look at the creation time of the files, then check your access logs (/var/log/secure on CentOS/RHEL, /var/log/auth.log on Ubuntu) and see if there were any logins around that time. Just to be safe I would also change any passwords that have access to those files, including root.
One thing I always recommend when people run their own server is to install Fail2Ban. It's available in the repository of most distributions, so can easily be installed with yum or apt-get. Fail2Ban detects invalid login attempts to various services, including SSH. If X amounts of failed logins are attempted in Y minutes by a particular IP, then it bans that IP in the firewall for Z minutes.
Also make sure the permissions on your file system are properly set. Everything should have read permissions to PHP and the webserver. The only files/directory that should be writable by PHP and Webserver is the sites/default/files (or wherever your files upload to).
The final thing is to make sure you keep Drupal up to date. Drupal 7.21 was released on March 7, 2013. Since then you have had some very serious security updates you have missed. Those include 7.24, which put protections in to prevent script execution in the files and temp files directories, and 7.32, which fixed a SQL injection problem and was one of the most serious security problems in years. Also make sure your contributed modules are kept up to date.
I know keeping things up to date can seem tedious, but it is of vital importance. My suggestion is to set your Drupal installations to email you when security updates are available. To make updating simpler, install Drush and update via that.
One final thing, not Drupal. Since this was sending out spam emails, there is now a good chance that your server is blacklisted by a bunch of email services. You can check using this tool:
http://mxtoolbox.com/blacklists.aspx
If you did get blacklisted by some services, then you will have to contact each one and find out their procedure to get yourself removed. Usually it's not that bad. AOL is probably the worst one to deal with.
Jamie Holly http://hollyit.net
On 10/29/2014 3:17 AM, Ahilan Rajan wrote:
Hi,
I had installed drupal 7.21 to run a simple website on my server. All seemed well till one day last week I started getting huge amount of spam emails from the server which was hosting the website.
On further analysis of the postfix mail queue on the server, I found all the emails were generated by TWO php files (css76.php in the modules/panels/js directory and session.php in the sites/all/libraries/jquery.cycle directory) . These two files were NEWLY created/injected files and seemed bogus containing a number of symbols along with a base64_decode return statement.
Clearly my drupal setup had been hacked and someone had successfully injected these files to send spam email (amongst other things I presume)
I shutdown the site, installed Security Review and Hacked modules and carried out their recommendations and also checked my file permissions via recommended scripts.
However I am still not sure what the entry point for this hack was in my setup and whether I am fully secure yet in this setup. Any suggestions or points in this regard would be highly appreciated.
thanks Drupal Newbie