<p dir="ltr">Drupalgeddon identifies a few PHP files in FirePHP that comes with devel.</p>

<div class="gmail_quote">On 31 Oct 2014 19:51, &quot;Patrick Avella&quot; &lt;<a href="mailto:me@patrickavella.com">me@patrickavella.com</a>&gt; wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Dave and Muzzafer, I got a syntax error from drush when installing the drupgeddon module. <div><br></div><div>Has anyone been able to list when common files and avenues the attack hit yet? While we all know we got hacked, there seems to be no clear description of the contents of the attack besides what&#39;s initially visible (drupal mega role, evilevily, etc)</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Oct 31, 2014 at 1:44 PM, Metzler, David <span dir="ltr">&lt;<a href="mailto:metzlerd@evergreen.edu" target="_blank">metzlerd@evergreen.edu</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="EN-US" link="blue" vlink="purple">

<div>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">It’s not complete but I’ve heard of people using:

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><a href="https://www.drupal.org/project/drupalgeddon" target="_blank">https://www.drupal.org/project/drupalgeddon</a><u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Good Luck,

<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d">Dave<u></u><u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><span style="font-size:11.0pt;font-family:&quot;Calibri&quot;,&quot;sans-serif&quot;;color:#1f497d"><u></u> <u></u></span></p>

<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">From:</span></b><span style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> <a href="mailto:support-bounces@drupal.org" target="_blank">support-bounces@drupal.org</a> [mailto:<a href="mailto:support-bounces@drupal.org" target="_blank">support-bounces@drupal.org</a>]

<b>On Behalf Of </b>Patrick Avella<br>

<b>Sent:</b> Friday, October 31, 2014 10:04 AM<br>

<b>To:</b> <a href="mailto:support@drupal.org" target="_blank">support@drupal.org</a><br>

<b>Subject:</b> [support] Cleaning up from the Oct. 15th hack.<u></u><u></u></span></p><span>

<p class="MsoNormal"><u></u> <u></u></p>

<p>Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.

<u></u><u></u></p>

<p>PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.<u></u><u></u></p>

</span></div>

</div>

<br>--<br>

[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div><br></div>

<br>--<br>

[ Drupal support list | <a href="http://lists.drupal.org/" target="_blank">http://lists.drupal.org/</a> ]<br></blockquote></div>