When your Drupal site has been hacked it is important to rapidly assess the damage and take action.
The first order of business is to determine which of the following you are facing:
- A user has managed to add undesirable content to your website by exploiting loose permissions settings
- A user has managed to deface your website by exploiting a code weakness
- Your Drupal installation has been exploited and somebody else now has administrative access to your CMS
- Your Drupal installation has been severely compromised and somebody else now has control over your entire server
After confirming which of these scenarios is in play it is possible to make a call over the best course of action, which is likely to be one of the following:
- Tightening user permissions and auditing user accounts, deleting where appropriate
- Applying security patches to core, contributed and custom modules
- Starting with a known clean backup and then auditing users, permissions and the Drupal code base from to tighten security holes
- Rebuilding both your server and the Drupal code base from scratch, including auditing and migrating data, because it is not possible to determine the extent of the breach