Drupal malware - Farbtastic exploit, only in Google

385 words, 2 mins

I was contacted by a client last night, very concerned because, when you enter his site into Google, it comes back with a warning that ‘This site has been hacked’. And yet, when the site is viewed in the browser, there is no sign of any bad links or anything. What can be happening? Why does Google think the site is hacked?

I took a look at the site and he was correct, there was no sign of any bad links, and yet in Google there was a couple of pages of links to various pharmacy products. Which when clicked on led to a 404 page not found error. But when I asked Google for the cached version, there the links were, proudly displayed at the top of the page, bold as can be.

Strangely, when I put the site into Google Webmaster Tools and went to the Security Issues page, Google informed me that there were no Security Issues with the site. This means I can’t ask Google to delist the site as it’s not, according to this page, listed.

The next step is to ask Google to “Fetch the page as Google” and to render it. This made it clear that the bad code was still there but only visible to the Google search bot.

If you are reading this because you are having the same problem, here is what I needed to do to clear things. Somewhere in the system is a group of files that are being included in the site. This means there is an entry point and in this case that entry point was /includes/bootstrap.php. On line 121, the following code appeared:

@include_once( DRUPAL_ROOT . '/misc/farbtastic/cache.php');

and in /includes/common.php, line 5798, we have:

@include_once( DRUPAL_ROOT . '/includes/refresh.inc' );

Remove those lines, remove /includes/refresh.inc and cleanup the /misc/farbtastic/ directory and we’re good to go.

Unfortunately this site doesn’t keep logs, so I’m not sure how these files were put on the server. I’m guessing it was from a hijacked FTP account but for now I don’t know.

The final step is to check in Webmaster Tools, fetch as Google and if it’s clear, then resubmit the page to the indexing machine.