Access denied - all drupal pages

On Monday, 2/3/2013, I was notified by DreamHost that that my Drupal 6.17 site had been compromised. Yes, there were foreign php files which I deleted. They also added their own cron.php and index.php. I restored the originals from backup. This had happened before and the site was fine.

Now only shows “access denied”. I can run update.php but haven’t. I am not sure the next step. Basically it appears Drupal won’t load . The date of .htaccess has not changed so don’t think it is denying all. Another thought is that the sessions table is corrupt. I could repair the table.

Any thoughts of next steps ? Thanks for your thoughts.

You most likely have an existing backdoor that the hackers left open. I’m a wordpress person not a drupal person so can’t can’t help you with specifics but most likely you missed something or the attack happened before you backed your site up, so that the hack still exists. Most likely one of the drupal files has some inserted code. Any php code which is on your site is capable of being compromised now that someone else has gained access to your site. Also, if you have multiple sites with the same user those sites may also be compromised. Your mysql access from drupal is compromised and the passwords should be changed.


Thanks, I will do a more thorough investigation.