Skip to content

Instantly share code, notes, and snippets.

Last active August 29, 2015 14:07
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Remote code execution attempt: will insert this binary data into the menu_router table: #drupalsa05


This attack will add file_put_contents() as the access_callback in your menu_router table.

Subsequently, that path is used attempt to drop more exploit code.

Look in menu router for file_put_contents and remove it if found.

Copy link

There was a file in the codebase. I found the file when I tried to git pull my Drupal update and git complained of this file. Sites updated. Scary one though!

Copy link

tamerzg commented Oct 18, 2014

It seems that the file has random name and randomly gets inserted in one of the modules subdirectory, as i seen in in different directories on couple of my sites.
More info on how to find it and delete it:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment