• Determine current version of Drupal being used
• Downloading a clean Drupal Core
• Running an initial diff (show the difference) between the two
• Run a detailed diff on individual files

Determine current version of Drupal being used

There are multiple ways to check what version of Drupal is being used.

Your best bet is to visit one of the admin status report pages as listed below:

Drupal 6/7: /admin/reports/status

Drupal 5 : /admin/logs/status

Finally, you can take a look at the CHANGELOG.txt file located in the main directory of the Drupal install. (This method is prone to error, so use only if you are having trouble finding it elsewhere).

Downloading a clean Drupal Core

Our next step is to download a clean copy of the Drupal core install that matches our version.

Thankfully, Drupal.org has set up a release page where you can download any version of Drupal all the way back to 4.7.0!

Simply select the branch you wish to download from, and then download the correct zip or tar.gz file from that branch!

If you’re familiar with Drupal’s Git process, you can also checkout a copy:

git clone http://git.drupal.org/project/drupal.git mydir 
cd mydir 
git checkout -b local 6.20

If, for some unholy reason, you need a copy of a release prior to 4.7, versions 2-3 are avaiable at Natrak.net. This is not an official release channel, so download at your own discretion.

Running an initial diff (show the difference) between the two

(Assume that there are two folders drupal is the clean core, and myfolder is the version we suspect has changes.)

You can use any diff tool you like, I personally prefer to use the command line for finding the initial differences between the two.

Here’s what I use:

// this will dump a txt file that lists 
// the differences between the two files
diff -qr drupal myfolder | sort > diffs.txt

// if you want to ignore a set of files, 
// you can pipe it through grep. In this case, 
// I'm ignoring the .DS_Store file that macs 
// tend to dump in every folder.
diff -qr drupal myfolder | grep -v -e 'DS_Store' | sort > diffs.txt

The preceding command will produce a diffs.txt file that will display any differences between the two. Below is an example of what this might look like.

Files drupal/.htaccess and mydir/.htaccess differ
Files drupal/includes/common.inc and mydir/includes/common.inc differ
Files drupal/index.php and mydir/index.php differ

Only in mydir/profiles: technology
Only in mydir: phpMyAdmin

From our diffs.txt file we have quickly learned that yes, there have been changes to the core install, and in addition to the changes, there is a phpMyAdmin installation in our current Drupal directory. At this point you should run a diff on each individual file that shows a difference.

Run a detailed diff on individual files

While you can continue to use the diff command, at this point I would recommend using a GUI diff tool. I like FileMerge, so that’s what I’ll be using.

Let’s compare the common.inc files and see what we get:

Here we can see that someone has placed a redirect instruction in a 404 function.

Now, as part of our audit, we need to figure out why this was done, and how we can extract this code (either by creating a module, or finding a module that can redirect 404 requests). In this instance, we had a fairly simple change, but sometimes you may come across multiple large changes to the core. You must be diligent in discovering what the intent of the changes are, and on how to replicate those changes in a Drupal approved fashion.

Happy hunting!