Ways to recover a hacked Drupal system with 'PCT4BA6ODSE' in its PHP files

How to un-fudge a system after you've patched it for so-called "Drupageddon"

For those seeing 'PCT4BA6ODSE' in their PHP files - I have some easy commands to run for scrubbing your site out completely of these hacks (in case you do not have backups). This will not fix the underlying issue, but if you find that your PHP files have been devoured by the hackers this will at least clean up the files without damaging them.

This attack does two things: firstly, in creates NEW php files scattered throughout your directory structure. The files are all 494 bytes long, and end in "php" so they are easy to find. Run the following command to see if you have any:

find . -size 494c -name "*.php"

...and then run this command to delete them:


Subscribe to RSS - Restore