Drupal Advisory Unleashes a Torrent of Attacks

Nov 04, 2014

Users only had 7 hours to update before the intrusions started.

On October 15, the Drupal security team announced an SQL injection vulnerability affecting Drupal 7 websites. A patch was quickly provided, and users were urged to upgrade their Drupal systems to Version 7.32. In a recent update to the original post, the team says that multiple attacks appeared “… in the wild following the release of this security advisory.” The extreme efficiency with which the vulnerability was turned into a real-world attack means that, according to Drupal, any site that wasn't patched within 7 hours of the original October 15 announcement should be considered compromised.
If a system was breached before the patch was applied, an update to the system doesn't help. In fact, it appears that an unexpectedly updated system is sometimes evidence of an attack. Intruders, it seems, are eager to update the system to Drupal 7.32 once they gain entry to prevent other intruders from slipping in also.
Ironically, the attack exploits a vulnerability in a Drupal API that is designed to help prevent SQL injection attacks.
If you did not get your Drupal site updated within 7 hours of the initial October 15 announcement, the Drupal team recommends the following steps:

  1. Take the website offline by replacing it with a static HTML page.
  2. Notify the server’s administrator, emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack.
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files, and database) from backups from before October 15, 2014.
  5. Update or patch the restored Drupal core code.
  6. Put the restored and patched/updated website back online.
  7. Manually redo any desired changes made to the website since the date of the restored backup.
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

Related content

  • News

    Updates on Technologies, Trends, and Tools

    more »
  • PHP Attack Puts WordPress and Drupal at Risk

    All websites that use these popular CMS tools could be vulnerable to denial of service attacks if users don't install the updates.

    more »
  • FCC to Rebuild Its Site in Drupal

    Federal Communications Commission follows The White House's lead.

    more »
  • NEWS

    In the news: VMware rolls out essential PKS; Linux 5.0 is here; Kali Linux 2019.1 is available; Linux Foundation releases a new draft of OpenChain specification; hackers start exploiting a Drupal bug;  LibreOffice is vulnerable to a remote code execution flaw; and an early warning system for seismic events.

    more »
  • Drupal.org Hacked

    Security breached at home sites of the CMS project.

    more »
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News

Tag Cloud

Administration Community Desktop Events Hardware Linux Mobile Programming Security Software Ubuntu Web Development Windows free software open source