In my case, attackers had created a role called drupaldev and a user called megauser belonging to that role.
It’s not complete but I’ve heard of people using:
https://www.drupal.org/project/drupalgeddon
To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.
Good Luck,
Dave
From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Patrick Avella
Sent: Friday, October 31, 2014 10:04 AM
To: support@drupal.org
Subject: [support] Cleaning up from the Oct. 15th hack.
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
--
[ Drupal support list | http://lists.drupal.org/ ]