Seeing if your drupal core is hacked

I have been hired to debug someone's drupal installation as their previous developer basically stopped talking to them. They are in pretty rough shape, they have a couple custom modules that are working together, a lot of the code is broken, stuff is really jacked up.

I noticed that the version of drupal they are running was 4 releases behind the current, which is generally bad news. Not only because there are important security updates, but the fact that it was not upgraded led me to believe the previous developers had changed the core code. This is a catastrophe because you lose all those changes every time you upgrade drupal.

Hopefully someone, somewhere will need to do something similar. This solution will work anytime you need to find out if there are differences in files between two directory structures.

Thanks to the guys at #linux on efnet for helping me.

Step one was to download drupal 5.11 which is what my client was running (5.15 is the latest of 5x at the time of this writing)

I untarred the tar.gz file in the same parent directory as the existing drupal installation. For sake of clarity, I will refer to the clean unpacked drupal tar 'unhacked' and the existing drupal installation as 'hacked'

The first thing we need to do is get a list of all the files in both directories

cd unhacked
find > /tmp/unhacked.files
cd ../hacked
find > /tmp/hacked.files


Now we only want to check the files that are in the original drupal installation so we need to filter out the ones that are not in both

cd unhacked
find > /tmp/unhacked.files
cd ../hacked
find > /tmp/hacked.files
grep -x -f /tmp/unhacked.files /tmp/hacked.files > /tmp/common.files


/tmp/unhacked.files should be the same as /tmp/common.files in our case, so its sort of redundant for drupal but for the more general solution of checking the same files within different directory structures it isn't redundant.

In any case, now we need to get an md5sum for each file in the structures so we can compare them to see if they've been edited.

cd ../unhacked
cat /tmp/common.files | xargs md5sum > /tmp/unhacked.md5
cd ../hacked
cat /tmp/common.files | xargs md5sum > /tmp/hacked.md5


Now we simply check to see which md5sums are different

diff /tmp/unhacked.md5 /tmp/hacked.md5 > files.changed.diff


Just as I expected! 3 files are different, jquery.js common.inc and settings.php.

The big no no here is common.inc This file should not be touched in almost any case. Now to see what the differences are between the two commonl.inc files:

diff ../unhacked/includes/common.inc includes/common.inc > /tmp/common.inc.differences


And then you can figure out wtf they did and why. Cheers

[17:54:28][conversationer@zihark:~/drupal-5.11]$ cat differences.hacked
22c22
< 22f97a73d88b69276ef0dc62c42c69b6 ./misc/jquery.js
---
> ebe0ea764139f30972055e9f79972277 ./misc/jquery.js
50c50
< f08c3b48c5021f39131a675ef24804d4 ./includes/common.inc
---
> 2df814ae69837e58073c614a6912397c ./includes/common.inc
77c77
< bc679d20964f126955cfd246ef463449 ./sites/default/settings.php
---
> d79a8cf36f0be9b31ae5066577f939db ./sites/default/settings.ph