[Drupal] Steps to recover hacked Drupal sites

Today most of websites are hacked by malware and viruses, Security is an important part of websites. Follow these steps to recover hacked Drupal site.

Steps 1. Take the website down. -

Immediately take down the website. There are 2 reasons for this. One reason is to prevent visitors getting malicious code, seeing error messages, etc.
The other one is to prevent hacker from causing further damage to your site.

Steps 2. Contact hosting provider. -

Inform Hosting provider they will help you to find out what happened and how to recover it.

Steps 3. Change all user and account passwords. -

Change all passwords including hosting control panel, ftp accounts .Check your site’s users accounts to see if there’s been a new user created.

Steps 4. Take backup of the website -

Take backup of website including code and database. Download the backup file from the remote server.

Steps 5. git status -
Remove all untracked files.

Steps 6. Check code execution attempts via menu_router -

          select * from menu_router where access_callback = 'file_put_contents' 

another option is

          select * from menu_router where access_callback = 'assert';

Steps 7. Look for PHP files in directory -

find . -path "*php"

Steps 8. Find all users -

select * from all users

Steps 9. Delete all sessions-

truncate table sessions;

Steps 10. Revert to master

git reset HEAD filename 

Steps 11. Take the website Live

HOW TO PREVENT A FUTURE HACKING

• Backup All Data and Files
• Stop Using Generic User names & Passwords
• Maintain Secure password
• By Protecting .htaccess
• Check the files and Folder Permission
• Add Re-Captcha In Login Page
• Restrict the Upload Content
• Update everything