It's been more than a month since Drupageddon so I thought I would post an update of my previous post.
Commands that help with auditing:
Showing files that have changed on the live server:
Looking for code execution attempts via menu_router:
select * from menu_router where access_callback = 'file_put_contents'
Another possible code execution attempt via menu_router:
select * from menu_router where access_callback = 'assert';
Showing which files are on the live server and not in version control:
diff -r docroot repo | grep 'Only in docroot'
Looking for PHP files in the files directory:
find . -path "*php"
Looking for additional roles and users:
select * from role select * from users_roles where rid=123
Checking the amount of time between when a user logged into your site and their most recent page visit:
select (s.timestamp - u.login) / 60 / 60 / 24 AS days_since_login, u.uid from sessions s inner join users u on s.uid = u.uid;
Commands that can help with recovery:
Apply the patch. Hotfix: (SA-CORE-2014-005)
curl https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch | patch -p1
End active sessions, i.e log everyone out.
truncate table sessions;
update users set pass = concat('XYZ', sha(concat(pass, md5(rand()))));
If you need help regarding the recent drupal vulnerability feel free to contact me.
Latest security advisory was today.