Content management system Drupal told users on Wednesday that unless they updated their Drupal 7 sites within seven hours of the SQL injection announcement last week, they “should proceed under the assumption that every Drupal 7 website was compromised.”
According to Drupal, automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement on October 15, 4 pm UTC.
Drupal said users should update or apply the patch immediately, but updating to version 7.32 or applying the patch does not fix an already compromised website.
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” Drupal said.
Drupal warns that attackers could have copied all data from a website to use maliciously, creating backdoors in the database, code, files directory and other locations.
Drupal’s security team tells users that they should consult with their hosting provider to check that they patched Drupal or otherwise blocked the SQL injection attacks within hours of the announcement. Otherwise, they should restore their website to a backup from before Oct.15, when the compromise was discovered.
“While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch,” Drupal said in a statement written by its security team.
Drupal is one of the most popular website content management systems, and is used by 24 percent of .gov websites. Acquia recently won a contract with the Australian government to provide a Drupal-based Government Content Management System.
With website security at stake, some users are opting for more managed options to ensure security updates are not ignored and are instead taken care of by a service provider.