Drupal Tells Users to Assume Drupal 7 Websites are Compromised

1 comment

Content management system Drupal told users on Wednesday that unless they updated their Drupal 7 sites within seven hours of the SQL injection announcement last week, they “should proceed under the assumption that every Drupal 7 website was compromised.”

According to Drupal, automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement on October 15, 4 pm UTC.

Drupal said users should update or apply the patch immediately, but updating to version 7.32 or applying the patch does not fix an already compromised website.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” Drupal said.

Drupal warns that attackers could have copied all data from a website to use maliciously, creating backdoors in the database, code, files directory and other locations.

Drupal’s security team tells users that they should consult with their hosting provider to check that they patched Drupal or otherwise blocked the SQL injection attacks within hours of the announcement. Otherwise, they should restore their website to a backup from before Oct.15, when the compromise was discovered.

“While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch,” Drupal said in a statement written by its security team.

Drupal is one of the most popular website content management systems, and is used by 24 percent of .gov websites. Acquia recently won a contract with the Australian government to provide a Drupal-based Government Content Management System.

With website security at stake, some users are opting for more managed options to ensure security updates are not ignored and are instead taken care of by a service provider.

Add Your Comments

  • (will not be published)

One Comment

  1. We were seeing attacks in the wild weeks ago, and they died down - which is why we're pretty sure all unpatched Drupal 7 sites are now compromised. The Drupal team provided some steps in their disclosure, but we also want to recommend the following steps: - Check if your site is actively serving malware or spam. Free scanners like SiteCheck and Unmaskparasites exist for this purpose. - Download a filesystem backup from before Oct 15th and compare all file changes since. - Download a database backup from before Oct 15th and compare any changes there. Look for new users and new hooks specially. If you can, restore to that backup to be safe. - Change all passwords. - Look up for any new file added since. We've written about this several times since the vulnerability was initially discovered weeks ago: http://blog.sucuri.net/2014/10/drupal-warns-every-drupal-7-website-was-compromised-unless-patched.html Thanks for helping get the word out.