It's been more than a month since Drupageddon so I thought I would post an update of my previous post.Commands that help with auditing:

Showing files that have changed on the live server:

git status

Looking for code execution attempts via menu_router:

select * from menu_router where access_callback = 'file_put_contents'

Another possible code execution attempt via menu_router:

select * from menu_router where access_callback = 'assert';

Showing which files are on the live server and not in version control:

diff -r docroot repo | grep 'Only in docroot'

Looking for PHP files in the files directory:

find . -path "*php"

Looking for additional roles and users:

select * from role
select * from users_roles where rid=123

Checking the amount of time between when a user logged into your site and their most recent page visit:

select (s.timestamp - u.login) / 60 / 60 / 24 AS days_since_login, u.uid from sessions s inner join users u on s.uid = u.uid;

Commands that can help with recovery:

Apply the patch. Hotfix: (SA-CORE-2014-005)

curl https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch | patch -p1

End active sessions, i.e log everyone out.

TRUNCATE TABLE sessions;

Updating passwords:

update users set pass = concat('XYZ', sha(concat(pass, md5(rand()))));

If you need help regarding the recent drupal vulnerability feel free to contact me.

P.S.

Latest security advisory was today.

Tags:

• Drupageddon
• security
• drupalplanet

Tweet