[support] Cleaning up from the Oct. 15th hack.

Shai Gluskin shai at content2zero.com
Fri Oct 31 22:22:40 UTC 2014 

So far I have evidence of only once site hit. Just like Muzaffer 
reported, a role called drupaldev was created and a user named megauser 
was created. However, /the drupaldev role was assigned no permissions/. 
That seems a pretty poor back door. What can you do with no permissions?

That site had little new content so I could easily back up to my backup 
from the 14th and my files (except the files directory) were under 
version control. No files had been added or changed in the codebase.

I flushed the styles images and otherwise examined every single file in 
the files directory and subdirectories.

Shai
On 10/31/2014 01:52 PM, Muzaffer Tolga Ozses wrote:
>
> In my case, attackers had created a role called drupaldev and a user 
> called megauser belonging to that role.
>
> On 31 Oct 2014 19:47, "Metzler, David" <metzlerd at evergreen.edu 
> <mailto:metzlerd at evergreen.edu>> wrote:
>
>     It’s not complete but I’ve heard of people using:
>
>     https://www.drupal.org/project/drupalgeddon
>
>     To help get a handle on the files cleanup. I haven’t heard
>     anything about db yet, but there are some useful links on the
>     project page.
>
>     Good Luck,
>
>     Dave
>
>     *From:*support-bounces at drupal.org
>     <mailto:support-bounces at drupal.org>
>     [mailto:support-bounces at drupal.org
>     <mailto:support-bounces at drupal.org>] *On Behalf Of *Patrick Avella
>     *Sent:* Friday, October 31, 2014 10:04 AM
>     *To:* support at drupal.org <mailto:support at drupal.org>
>     *Subject:* [support] Cleaning up from the Oct. 15th hack.
>
>     Hi, I maintain around 60 multisites that got hacked like all sites
>     on the 15th. Has anyone developed a method of cleaning out the
>     database for malicious code? The file system I can handle on my own.
>
>     PSA chances are you were hacked on Oct 15th please visit
>     Drupal.org to learn more.
>
>
>     --
>     [ Drupal support list | http://lists.drupal.org/ ]
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/support/attachments/20141031/157ac8a7/attachment.html

More information about the support mailing list