Last active
July 9, 2018 00:45
-
-
Save danreb/8499d353d5915ae7cd281c60001cf91f to your computer and use it in GitHub Desktop.
Helper shell scripts or command to scan for injected code - DrupalGeddon 2 - 3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Run this inside your cPanel account or just in public_html drupal web root | |
# Find the ico malware | |
find . -type f -name "favicon_*.ico" | |
find . -type f -name ".*.ico" | |
# Delete the malware, I did not delete favicon_*.ico as you need to double check it manually | |
find . -type f -name ".*.ico" -exec rm -f {} \; | |
# The hacker use the below function in his code, find all PHP files that use this function and | |
# delete the files if it is not part of Drupal or replace, remove the injected code. | |
# The hacker inject code all over the place, core, sites folder, themes folder, files folder etc. | |
# This will allow you to inspect easily all your PHP files. | |
# find eval(), base_64(), @include, $_COOKIE and $GLOBALS in PHP files | |
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "eval\s*(" | |
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "base64_decode\s*(" | |
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "@include" | |
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir '$_COOKIE' | |
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir '$GLOBALS' | |
# Lastly adjust files and folder permission | |
find . -type d -exec chmod 755 {} \; | |
find . -type f -exec chmod 644 {} \; | |
chmod 444 sites/default/settings.php | |
chmod 555 sites/default/ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# This only removes all scattered index.php files added by the hacker in your drupal website. | |
# run this inside your Drupal web root as this will brake other CMS installation, don't use it in other code base | |
# This is for Drupal only | |
# Remove index.php scattered in Drupal sub folder | |
find sites -type f -name "index.php" -exec rm -f {} \; | |
find themes -type f -name "index.php" -exec rm -f {} \; | |
find cgi-bin -type f -name "index.php" -exec rm -f {} \; | |
find profiles -type f -name "index.php" -exec rm -f {} \; | |
find scripts -type f -name "index.php" -exec rm -f {} \; | |
find misc -type f -name "index.php" -exec rm -f {} \; | |
find tmp -type f -name "index.php" -exec rm -f {} \; | |
# Remove unwanted TXT files, we don't want another hacker have clues on what version of Drupal we have | |
find . -type f -name "CHANGELOG.txt" -exec rm -f {} \; | |
find . -type f -name "COPYRIGHT.txt" -exec rm -f {} \; | |
find . -type f -name "INSTALL.mysql.txt" -exec rm -f {} \; | |
find . -type f -name "INSTALL.pgsql.txt" -exec rm -f {} \; | |
find . -type f -name "INSTALL.sqlite.txt" -exec rm -f {} \; | |
find . -type f -name "INSTALL.txt" -exec rm -f {} \; | |
find . -type f -name "LICENSE.txt" -exec rm -f {} \; | |
find . -type f -name "MAINTAINERS.txt" -exec rm -f {} \; | |
find . -type f -name "README.txt" -exec rm -f {} \; | |
find . -type f -name "UPGRADE.txt" -exec rm -f {} \; | |
# Remove error_log for iit to generate a new one | |
find . -type f -name "error_log" -exec rm -f {} \; | |
# Remove the cache and tmp folder and re-create it, hacker also put php files inside this folder | |
rm -rf cache tmp | |
mkdir cache tmp | |
rm -rf .well-known |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment