Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
https://www.drupal.org/node/2365547
Lucas MTech, LLC http://www.mtech-llc.com
On Fri, Oct 31, 2014 at 11:04 AM, Patrick Avella me@patrickavella.com wrote:
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
-- [ Drupal support list | http://lists.drupal.org/ ]
I suggest you start with checking your system with the Drupalgeddon project, which is at https://www.drupal.org/project/drupalgeddon On 31 Oct 2014 19:34, "Patrick Avella" me@patrickavella.com wrote:
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
-- [ Drupal support list | http://lists.drupal.org/ ]
It’s not complete but I’ve heard of people using:
https://www.drupal.org/project/drupalgeddon
To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.
Good Luck,
Dave
From: support-bounces@drupal.org [mailto:support-bounces@drupal.org] On Behalf Of Patrick Avella Sent: Friday, October 31, 2014 10:04 AM To: support@drupal.org Subject: [support] Cleaning up from the Oct. 15th hack.
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
Thanks Dave and Muzzafer, I got a syntax error from drush when installing the drupgeddon module.
Has anyone been able to list when common files and avenues the attack hit yet? While we all know we got hacked, there seems to be no clear description of the contents of the attack besides what's initially visible (drupal mega role, evilevily, etc)
On Fri, Oct 31, 2014 at 1:44 PM, Metzler, David metzlerd@evergreen.edu wrote:
It’s not complete but I’ve heard of people using:
https://www.drupal.org/project/drupalgeddon
To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.
Good Luck,
Dave
*From:* support-bounces@drupal.org [mailto:support-bounces@drupal.org] *On Behalf Of *Patrick Avella *Sent:* Friday, October 31, 2014 10:04 AM *To:* support@drupal.org *Subject:* [support] Cleaning up from the Oct. 15th hack.
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
-- [ Drupal support list | http://lists.drupal.org/ ]
Drupalgeddon identifies a few PHP files in FirePHP that comes with devel. On 31 Oct 2014 19:51, "Patrick Avella" me@patrickavella.com wrote:
Thanks Dave and Muzzafer, I got a syntax error from drush when installing the drupgeddon module.
Has anyone been able to list when common files and avenues the attack hit yet? While we all know we got hacked, there seems to be no clear description of the contents of the attack besides what's initially visible (drupal mega role, evilevily, etc)
On Fri, Oct 31, 2014 at 1:44 PM, Metzler, David metzlerd@evergreen.edu wrote:
It’s not complete but I’ve heard of people using:
https://www.drupal.org/project/drupalgeddon
To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.
Good Luck,
Dave
*From:* support-bounces@drupal.org [mailto:support-bounces@drupal.org] *On Behalf Of *Patrick Avella *Sent:* Friday, October 31, 2014 10:04 AM *To:* support@drupal.org *Subject:* [support] Cleaning up from the Oct. 15th hack.
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
-- [ Drupal support list | http://lists.drupal.org/ ]
-- [ Drupal support list | http://lists.drupal.org/ ]
In my case, attackers had created a role called drupaldev and a user called megauser belonging to that role. On 31 Oct 2014 19:47, "Metzler, David" metzlerd@evergreen.edu wrote:
It’s not complete but I’ve heard of people using:
https://www.drupal.org/project/drupalgeddon
To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page.
Good Luck,
Dave
*From:* support-bounces@drupal.org [mailto:support-bounces@drupal.org] *On Behalf Of *Patrick Avella *Sent:* Friday, October 31, 2014 10:04 AM *To:* support@drupal.org *Subject:* [support] Cleaning up from the Oct. 15th hack.
Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own.
PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more.
-- [ Drupal support list | http://lists.drupal.org/ ]
So far I have evidence of only once site hit. Just like Muzaffer reported, a role called drupaldev was created and a user named megauser was created. However, /the drupaldev role was assigned no permissions/. That seems a pretty poor back door. What can you do with no permissions?
That site had little new content so I could easily back up to my backup from the 14th and my files (except the files directory) were under version control. No files had been added or changed in the codebase.
I flushed the styles images and otherwise examined every single file in the files directory and subdirectories.
Shai On 10/31/2014 01:52 PM, Muzaffer Tolga Ozses wrote:
In my case, attackers had created a role called drupaldev and a user called megauser belonging to that role.
On 31 Oct 2014 19:47, "Metzler, David" <metzlerd@evergreen.edu mailto:metzlerd@evergreen.edu> wrote:
It’s not complete but I’ve heard of people using: https://www.drupal.org/project/drupalgeddon To help get a handle on the files cleanup. I haven’t heard anything about db yet, but there are some useful links on the project page. Good Luck, Dave *From:*support-bounces@drupal.org <mailto:support-bounces@drupal.org> [mailto:support-bounces@drupal.org <mailto:support-bounces@drupal.org>] *On Behalf Of *Patrick Avella *Sent:* Friday, October 31, 2014 10:04 AM *To:* support@drupal.org <mailto:support@drupal.org> *Subject:* [support] Cleaning up from the Oct. 15th hack. Hi, I maintain around 60 multisites that got hacked like all sites on the 15th. Has anyone developed a method of cleaning out the database for malicious code? The file system I can handle on my own. PSA chances are you were hacked on Oct 15th please visit Drupal.org to learn more. -- [ Drupal support list | http://lists.drupal.org/ ]
-
Lucas Hedding -
Metzler, David -
Muzaffer Tolga Ozses -
Patrick Avella -
Shai Gluskin