<html>

  <head>

    <meta content="text/html; charset=windows-1252"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    So far I have evidence of only once site hit. Just like Muzaffer

    reported, a role called drupaldev was created and a user named

    megauser was created. However, <i>the drupaldev role was assigned

      no permissions</i>. That seems a pretty poor back door. What can

    you do with no permissions?<br>

    <br>

    That site had little new content so I could easily back up to my

    backup from the 14th and my files (except the files directory) were

    under version control. No files had been added or changed in the

    codebase. <br>

    <br>

    I flushed the styles images and otherwise examined every single file

    in the files directory and subdirectories.<br>

    <br>

    Shai<br>

    <div class="moz-cite-prefix">On 10/31/2014 01:52 PM, Muzaffer Tolga

      Ozses wrote:<br>

    </div>

    <blockquote

cite="mid:CAMAQ3nJzb6LM6L-R7xa-5YgdNXhxR+i_DNRhBJEX3OOFbNbjAg@mail.gmail.com"

      type="cite">

      <p dir="ltr">In my case, attackers had created a role called

        drupaldev and a user called megauser belonging to that role.</p>

      <div class="gmail_quote">On 31 Oct 2014 19:47, "Metzler, David"

        &lt;<a moz-do-not-send="true"

          href="mailto:metzlerd@evergreen.edu">metzlerd@evergreen.edu</a>&gt;

        wrote:<br type="attribution">

        <blockquote class="gmail_quote" style="margin:0 0 0

          .8ex;border-left:1px #ccc solid;padding-left:1ex">

          <div link="blue" vlink="purple" lang="EN-US">

            <div>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">It’s

                  not complete but I’ve heard of people using:

                </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><a

                    moz-do-not-send="true"

                    href="https://www.drupal.org/project/drupalgeddon"

                    target="_blank">https://www.drupal.org/project/drupalgeddon</a></span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">To

                  help get a handle on the files cleanup. I haven’t

                  heard anything about db yet, but there are some useful

                  links on the project page.

                </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Good

                  Luck,

                </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Dave</span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>

              <p class="MsoNormal"><span

style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"> </span></p>

              <p class="MsoNormal"><b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span

style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">

                  <a moz-do-not-send="true"

                    href="mailto:support-bounces@drupal.org"

                    target="_blank">support-bounces@drupal.org</a>

                  [mailto:<a moz-do-not-send="true"

                    href="mailto:support-bounces@drupal.org"

                    target="_blank">support-bounces@drupal.org</a>]

                  <b>On Behalf Of </b>Patrick Avella<br>

                  <b>Sent:</b> Friday, October 31, 2014 10:04 AM<br>

                  <b>To:</b> <a moz-do-not-send="true"

                    href="mailto:support@drupal.org" target="_blank">support@drupal.org</a><br>

                  <b>Subject:</b> [support] Cleaning up from the Oct.

                  15th hack.</span></p>

              <p class="MsoNormal"> </p>

              <p>Hi, I maintain around 60 multisites that got hacked

                like all sites on the 15th. Has anyone developed a

                method of cleaning out the database for malicious code?

                The file system I can handle on my own.

              </p>

              <p>PSA chances are you were hacked on Oct 15th please

                visit Drupal.org to learn more.</p>

            </div>

          </div>

          <br>

          --<br>

          [ Drupal support list | <a moz-do-not-send="true"

            href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a>

          ]<br>

        </blockquote>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

    </blockquote>

    <br>

  </body>

</html>