I recently had one of my Drupal sites hacked. The Drupal core wasn't up to date with its security patches and consequently it left the backdoor open, allowing a hacker to add malicious script to the Drupal core files.
This hack added a malicious script to Drupal’s core files namely index.php, .php and .js files inside themes directory etc.
If you ever come across something like this, follow the steps below to clean your files:
- Look for a certain pattern in your hacked files. You can do this by editing your index.php file and look for a pattern. In my own experience, the code was included between #ef09d2 and #ef09d2.
- Once you find a pattern, you need to replace the following code with your pattern.
sudo find /path/to/web/directory -type f -iname "*.php" -exec sed -r -i ':a;N;$!ba;s/\#ef09d2\#.*\#\/ef09d2\#//g' {} \;
NOTE: Replace ef09d2 with the pattern you found in your hacked files.
- Login to your web server via SSH and run the command from your web root.
All done, now stop stressing out and relax.