Helper shell scripts or command to scan for injected code - DrupalGeddon 2 - 3

dgscanner.sh

#!/bin/bash

# Run this inside your cPanel account or just in public_html drupal web root

# Find the ico malware
find . -type f -name "favicon_*.ico"
find . -type f -name ".*.ico"

# Delete the malware, I did not delete favicon_*.ico as you need to double check it manually
find . -type f -name ".*.ico" -exec rm -f {} \;

# The hacker use the below function in his code, find all PHP files that use this function and
# delete the files if it is not part of Drupal or replace, remove the injected code.
# The hacker inject code all over the place, core, sites folder, themes folder, files folder etc.
# This will allow you to inspect easily all your PHP files.

# find eval(), base_64(), @include, $_COOKIE and $GLOBALS in PHP files
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "eval\s*("
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "base64_decode\s*("
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir "@include"
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir '$_COOKIE'
find . \( -name "*.php" \) -type f -print0 | xargs -0 grep --binary-files=without-match -ir '$GLOBALS'

# Lastly adjust files and folder permission
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;
chmod 444 sites/default/settings.php
chmod 555 sites/default/

rm-scattered.sh

#!/bin/bash

# This only removes all scattered index.php files added by the hacker in your drupal website.
# run this inside your Drupal web root as this will brake other CMS installation, don't use it in other code base
# This is for Drupal only

# Remove index.php scattered in Drupal sub folder
find sites -type f -name "index.php" -exec rm -f {} \;
find themes -type f -name "index.php" -exec rm -f {} \;
find cgi-bin -type f -name "index.php" -exec rm -f {} \;
find profiles -type f -name "index.php" -exec rm -f {} \;
find scripts -type f -name "index.php" -exec rm -f {} \;
find misc -type f -name "index.php" -exec rm -f {} \;
find tmp -type f -name "index.php" -exec rm -f {} \;

# Remove unwanted TXT files, we don't want another hacker have clues on what version of Drupal we have
find .  -type f -name "CHANGELOG.txt" -exec rm -f {} \;
find .  -type f -name "COPYRIGHT.txt" -exec rm -f {} \;
find .  -type f -name "INSTALL.mysql.txt" -exec rm -f {} \;
find . -type f -name "INSTALL.pgsql.txt" -exec rm -f {} \;
find .  -type f -name "INSTALL.sqlite.txt" -exec rm -f {} \;
find . -type f -name "INSTALL.txt" -exec rm -f {} \;
find . -type f -name "LICENSE.txt" -exec rm -f {} \;
find .  -type f -name "MAINTAINERS.txt" -exec rm -f {} \;
find . -type f -name "README.txt" -exec rm -f {} \;
find .  -type f -name "UPGRADE.txt" -exec rm -f {} \;

# Remove error_log for iit to generate a new one
find .  -type f -name "error_log" -exec rm -f {} \;

# Remove the cache and tmp folder and re-create it, hacker also put php files inside this folder
rm -rf cache tmp
mkdir cache tmp 
rm -rf .well-known