Drupal Advisory Unleashes a Torrent of Attacks

Nov 04, 2014

Users only had 7 hours to update before the intrusions started.

On October 15, the Drupal security team announced an SQL injection vulnerability affecting Drupal 7 websites. A patch was quickly provided, and users were urged to upgrade their Drupal systems to Version 7.32. In a recent update to the original post, the team says that multiple attacks appeared “… in the wild following the release of this security advisory.” The extreme efficiency with which the vulnerability was turned into a real-world attack means that, according to Drupal, any site that wasn't patched within 7 hours of the original October 15 announcement should be considered compromised.
If a system was breached before the patch was applied, an update to the system doesn't help. In fact, it appears that an unexpectedly updated system is sometimes evidence of an attack. Intruders, it seems, are eager to update the system to Drupal 7.32 once they gain entry to prevent other intruders from slipping in also.
Ironically, the attack exploits a vulnerability in a Drupal API that is designed to help prevent SQL injection attacks.
If you did not get your Drupal site updated within 7 hours of the initial October 15 announcement, the Drupal team recommends the following steps:

  1. Take the website offline by replacing it with a static HTML page.
  2. Notify the server’s administrator, emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack.
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files, and database) from backups from before October 15, 2014.
  5. Update or patch the restored Drupal core code.
  6. Put the restored and patched/updated website back online.
  7. Manually redo any desired changes made to the website since the date of the restored backup.
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

Related content

comments powered by Disqus

Issue 30: Getting Started with Linux/Special Editions

Buy this issue as a PDF

Digital Issue: Price $15.99
(incl. VAT)

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia