After a Drupal site got hacked

Just like last year’s Drupal security issue, Drupal sites not updated are easily got hacked. To recover from that, it’s better to restore everything from a clean backup( files & db ).

But if you don’t have a clean backup, and the database has too much data you can’t simply rebuild the site. Then maybe here is something you can do. But remember, there is no 100% guarantee you can remove all the backdoors and malwares.


Look at this simple step to confirm that you were hacked: How to Check Your Drupal Site Security

As in above article mentioned, you need to notice the data table ‘menu_route’, searching for file_put_contents like below:

Also look at the users & users_roles tables. Here are some typical names that the hackers used:

  • drupaldev
  • megauser
  • system
  • admin122


Using some module to check the site:

There is a module called Drupalgeddon which was designed to look for back doors.

The module creators say very honestly that this module is not perfect. It may miss some exploits and it may produce some false positives, but it may also help you uncover some suspicious files.

There are other modules that may help including Hacked and Site Audit.

You can find modified files based on date: Linux / Unix: Find Files Modified On Specific Date

Update your site as soon as possible.

Finally, install some module to secure your site:

Leave a Reply