<p dir="ltr">In my case, attackers had created a role called drupaldev and a user called megauser belonging to that role.</p>
<div class="gmail_quote">On 31 Oct 2014 19:47, "Metzler, David" <<a href="mailto:metzlerd@evergreen.edu">metzlerd@evergreen.edu</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">It’s not complete but I’ve heard of people using:
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><a href="https://www.drupal.org/project/drupalgeddon" target="_blank">https://www.drupal.org/project/drupalgeddon</a><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Good Luck,
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Dave<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:support-bounces@drupal.org" target="_blank">support-bounces@drupal.org</a> [mailto:<a href="mailto:support-bounces@drupal.org" target="_blank">support-bounces@drupal.org</a>]
<b>On Behalf Of </b>Patrick Avella<br>
<b>Sent:</b> Friday, October 31, 2014 10:04 AM<br>
<b>To:</b> <a href="mailto:support@drupal.org" target="_blank">support@drupal.org</a><br>
<b>Subject:</b> [support] Cleaning up from the Oct. 15th hack.<u></u><u></u></span></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p>Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
<u></u><u></u></p>
<p>PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.<u></u><u></u></p>
</div>
</div>
<br>--<br>
[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div>