Note: We don't actually recommend that you use this tool, except for academic purposes. If you're still checking an un-patched or un-updated Drupal 7 site that is accessible to the public for hacks today, there's a strong probability that your site is already compromised. See #2373453: Drupalgeddon project long-term support plans for details.


Consider Also

You should look into these tools also.

About this module

Drupalgeddon (with an "L") checks for backdoors and other traces of known Drupal exploits of "Drupageddon" (no "L"), aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it's a Drush command.

This is a signature-based diagnostic tool, and can not guarantee a website has not been compromised.

Instead, websites that were vulnerable to exploits of SA-CORE-2014-005 (Drupageddon) should be restored from backups from before 15 October 2014. Drupalgeddon drush command is only useful when restoring from backups is not an option and sufficient expertise is available to attempt a labourious manual recovery. Even then, neither Drupalgeddon nor an expert can guarantee a website has not been compromised. They can only confirm with certainty that a site has been compromised. This is because:

  • Drupageddon attacks may not leave any trace at all
  • Attacks that do leave traces change faster than what Drupalgeddon maintainers can keep up with
  • It is impossible to think of all the places that attackers might hide a backdoor.

There are known exploits that Drupalgeddon does not yet check for. Contributions are welcome (see below).

If you decide to use Drupalgeddon; Good luck to you; You will need it.

For more information on Drupalgeddon:

Please contribute

Your contributions to add new checks are very welcome. It's easy to add new tests (see the "checks" directory). If you're seeing a new pattern injected into sites, please report the signature by submitting a new check to the issue queue.

Installation

With Site Audit

Since you're doing this, take a couple of extra steps and up your game significantly by installing Site Audit as well. In your home directory (so it installs to ~/.drush and is available for all your sites)

drush dl site_audit
drush dl drupalgeddon
drush cache-clear drush

Then, to use (in the sites directory or using Drush aliases)

drush asec

Next step: Explore the other useful reports that Site Audit offers!

Just the Drupalgeddon, thanks

In your home directory,

drush dl drupalgeddon
drush cache-clear drush

Then, to use (in the sites directory or using Drush aliases)

drush @example.org drupalgeddon-test

Output / results

Drupalgeddon alone, demonstrating a Drush alias group here to test multiple sites at once, a great timesaver.

$ drush -y @sites drupalgeddon-test
You are about to execute 'drupalgeddon-test' non-interactively (--yes forced) on all of the following targets:
sites.abcd-d6.example.org       >> Site is not Drupal 7.                     [ok]
sites.abcde.example.org         >> Site did not test positive. Good luck!    [ok]
sites.abcdef.example.org        >> Site did not test positive. Good luck!    [ok]
sites.abcdefg.example.org       >> Site did not test positive. Good luck!    [ok]

A single site Site Audit security report:

$ drush asec
Security: 25%
  Drupalgeddon users
    The following users have been detected: #3: configure [error]
      Delete the offending users from your site and check for other malicious activity.
  Drupalgeddon roles
    The following roles have been detected: #4: megauser [error]
      Delete the offending roles from your site and check for other malicious activity.
  Drupalgeddon suspicious files
    The following suspicious files have been detected: [error]
      - /path/to/malicious/file.php
      Restore your codebase from a backup if possible. If not, delete the offending files from your site and check for other malicious activity.

A single Site Audit report of all sections using HTML and bootstrap:

Site Audit Security Report

Supporting organizations: 
Primary Development
Site Audit integration

Project Information

Downloads