So far I have evidence of only once site hit. Just like Muzaffer reported, a role called drupaldev was created and a user named megauser was created. However, /the drupaldev role was assigned no permissions/. That seems a pretty poor back door. What can you do with no permissions?
That site had little new content so I could easily back up to my backup from the 14th and my files (except the files directory) were under version control. No files had been added or changed in the codebase.
I flushed the styles images and otherwise examined every single file in the files directory and subdirectories.
Shai On 10/31/2014 01:52 PM, Muzaffer Tolga Ozses wrote:
In my case, attackers had created a role called drupaldev and a user called megauser belonging to that role.
On 31 Oct 2014 19:47, "Metzler, David" <metzlerd@evergreen.edu mailto:metzlerd@evergreen.edu> wrote:
It’s not complete but I’ve heard of people using: https://www.drupal.org/project/drupalgeddon To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page. Good Luck, Dave *From:*support-bounces@drupal.org <mailto:support-bounces@drupal.org> [mailto:support-bounces@drupal.org <mailto:support-bounces@drupal.org>] *On Behalf Of *Patrick Avella *Sent:* Friday, October 31, 2014 10:04 AM *To:* support@drupal.org <mailto:support@drupal.org> *Subject:* [support] Cleaning up from the Oct. 15th hack. Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own. PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more. -- [ Drupal support list | http://lists.drupal.org/ ]