Linux and Drush commands every Drupal developer needs to know to carry out a security audit (discovery).

Quick overview

Looking for security updates:

drush up --security-only -n

Review improvements highlighted by the security review module:

drush dl security_review --dev
drush en -y security_review
drush ev 'print json_encode(user_roles()) . "\n";'
{"1":"anonymous user","2":"authenticated user","3":"administrator","4":"Site Editor","5":"Site Manager","6":"Volunteer","7":"Site Super Manager"}
drush vset --format=json security_review_untrusted_roles '[1,2]'
drush secrev --results

Looking for PHP enabled modules:

drush pm-list --pipe --type=module --status=enabled | grep php

Determining the amount of custom code:

find sites/all/themes/example '*.php' | xargs wc -l
wc -l sites/all/themes/example/template.php
wc -l sites/all/themes/example/theme-settings.php

Looking for evidence of a compromise in your search results on Google:

site:example.com viagra

Database

Looking for evidence of a compromise in the  menu_router table:

use example.com;
select * from menu_router where access_callback = 'file_put_contents';
select * from menu_router where access_callback = 'assert';
select * from menu_router where access_callback = 'php_eval';

Reviewing the “Super” administrator account:

mysql> select * from users where uid=1;

Looking for evidence of a compromise in the role table:

mysql> select * from role order by rid;
+-----+--------------------+--------+
| rid | name               | weight |
+-----+--------------------+--------+
|   1 | anonymous user     |      0 |
|   2 | authenticated user |      1 |
|   3 | administrator      |      2 |

Looking for unknown privileged accounts:

mysql> select * from users_roles where rid=3 order by uid;
…

Looking for suspicious users with the drupalgeddon module:

drush dl drupalgeddon —dev
drush en -y drupalgeddon
drush asec

Drupal code

Looking for code changes in Drupal core:

If Git is installed:
git status
If Git is not installed:
drush dl hacked diff
drush en -y hacked diff
drush hlp
drush hd drupal
drush hacked-diff drupal

Similarly, look for changes in contributed modules.

Looking for evidence of a compromise in custom theme & modules.

If Git is installed:
git status
If Git is not installed:
find ./ -type f -mtime -7 #List all files modified in the last 7 days

You can find the default theme with “drush status theme”

Looking for evidence of a compromise in the files directory:

find sites/default/files/ -path "*.php"

Other useful commands

Status information

drush core-status

Disabled modules:

drush pm-list --pipe --type=module --status=disabled --no-core

You'll also find the following linux commands very helpful.

If you need Website support for your Drupal website: please send me an email [email protected], and let me know what services you need.