0

Possible Duplicate:
My server's been hacked EMERGENCY

I've got a new client whose site looks like it has been hacked. It's running Drupal and I have run Hacked on it to verify that the file structure hasn't changed. I can add the Paranoia module, but it's a bit late.

Unfortunately, the site was developed with a lot of PHP code inserted directly into nodes, so a lot of custom code is sitting in the database. It's all run through eval().

What I'd like to know is how to quickly search through the database to determine if there is malicious PHP or Javascript that I need to clean up before migrating the site over to a more secure environment.

I can search for '' so could search for that.

Any thoughts or best practices would be appreciated.

Community
  • 1
Mike Gifford
  • 113
  • 7

1 Answers1

0

To hide the source code, the most common method hackers use is encode it using base64 and then use base64_decode and eval() function to execute the code at runtime.

So, I would suggest you dump your database as text by using mysqldump, then search for base64 string.

quanta
  • 50,327
  • 19
  • 152
  • 213