The maintainers of the Drupal content management system are warning users that any site owners who haven’t patched a critical vulnerability in Drupal Core disclosed earlier this month should consider their sites to be compromised.
The vulnerability, which became public on Oct. 15, is a SQL injection flaw in a Drupal module that’s designed specifically to help prevent SQL injection attacks. Shortly after the disclosure of the vulnerability, attackers began exploiting it using automated attacks. One of the factors that makes this vulnerability so problematic is that it allows an attacker to compromise a target site without needing an account and there may be no trace of the attack afterward.
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” a statement released by the Drupal maintainers on Wednesday says.
Attackers are using automated tools to exploit the vulnerability and in some cases are installing a back door on compromised systems and then patching the flaw in order to ensure that no other attacker can get access to the target site.
“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site,” the Drupal statement says.
“Attackers may have created access points for themselves (sometimes called ‘backdoors’) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access. Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.”
Drupal security team members recommend that site owners restore their sites from a known good backup if they didn’t patch their installations immediately after the vulnerability was disclosed.
“The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014,” the statement says.