In my case, attackers had created a role called drupaldev and a user called megauser belonging to that role. On 31 Oct 2014 19:47, "Metzler, David" metzlerd@evergreen.edu wrote:
It’s not complete but I’ve heard of people using:
https://www.drupal.org/project/drupalgeddon
To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.
Good Luck,
Dave
*From:* support-bounces@drupal.org [mailto:support-bounces@drupal.org] *On Behalf Of *Patrick Avella *Sent:* Friday, October 31, 2014 10:04 AM *To:* support@drupal.org *Subject:* [support] Cleaning up from the Oct. 15th hack.
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
-- [ Drupal support list | http://lists.drupal.org/ ]