Recovering a hacked Drupal system

In order to check if your Drupal 7 website has been hacked, install the following modules:

drush dl site_audit
drush dl drupalgeddon

clear drush cache and run:

drush cache-clear drush
drush asec

Some attack does two things: firstly, in creates NEW php files scattered throughout your directory structure. The files are all 494 bytes long, and end in "php" so they are easy to find. Run the following command to see if you have any:

find . -size 494c -name "*.php"

...and then run this command to delete them:

find . -size 494c -name "*.php" | xargs rm

And the second thing this exploit/attack does is alter EXISTING files with the malicious code. To see if any of your normal Drupal PHP files have been injected with this PCT4B code, go to the root of your site and issue the following command:

grep -Rl PCT4BA6ODSE .

This will look through your entire site, looking for instances of either newly-created or pre-existing files that have been hacked with this variant - files that will now allow outside attackers to bounce commands off your server. Assuming the result of this command indeed lists affected files, you can then run this additional command:

grep -Rl PCT4BA6ODSE . | xargs sed -i 's/<[?]php.*PCT4BA6ODSE_.*[?]>/<\?php \/\/ RECOVERED FILE \?>/g'

This will sweep through all affected files, removing the malicious code but saving the rest of the file.

Additionally you can install and check your website with


The following commands are optional to launch and check as they often give false alerts, but often times they also help to identify infected files:

find . -type f -name '*.php' | xargs grep -l "eval *(" --color
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color

You might also want to additionally search your server for the following files:


You might also read similar post on

Add new comment

Filtered HTML

  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre>
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.