The maintainers of the Drupal content management system are warning users that any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised.

The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.

“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” a statement released by the Drupal maintainers on Wednesday says.

Attackers are using automated tools to exploit the vulnerability and in some cases are installing a back door on compromised systems and then patching the flaw in order to ensure that no other attacker can get access to the target site.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” the Drupal statement says.

“Attackers may have created access points for themselves (sometimes called ‘backdoors’) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access. Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.”

Drupal security team members recommend that site owners restore their sites from a known good backup if they didn’t patch their installations immediately after the vulnerability was disclosed.

“The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014,” the statement says.

Categories: Hacks, Vulnerabilities, Web Security

Comments (6)

  1. Alycia

    The Drupal team provided some steps in their disclosure, but we also recommend the following steps:

    – Check if your site is actively serving malware or spam. Free scanners like SiteCheck and Unmaskparasites exist for this purpose.
    – Download a filesystem backup from before Oct 15th and compare all file changes since.
    – Download a database backup from before Oct 15th and compare any changes there. Look for new users and new hooks specially. If you can, restore to that backup to be safe.
    – Change all passwords.
    – Look up for any new file added since.

    A lot of big websites run Drupal…!

  2. Rick Smith

    Drupal was a victim of incremental improvements. The SQL injection arose from a flaw in the package developed to prevent SQL injections.

Comments are closed.