Content management system Drupal has said that it is suffering “automated attacks” against websites running version 7 of its software.
The company previously offered a patch for a SQL Injection flaw, but it said in the advisory that the automated attack, which hit as many Drupal sites containing the vulnerability as quickly as possible, anyone who didn’t update to version 7.32 within seven hours of its release should assume they’ve been hacked.
In an advisory, it said: “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, seven hours after the announcement.”
According to Forbes, Michael Hess of the Drupal Security Team said: “If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”
The Drupal security team recommends that websites be restored from a backup made before October 15th. Last month, the Australian Government signed a four year deal with Acquia to implement its Drupal-based web Government Content Management System (GovCMS).
Drupal warned that attackers may have created backdoors in the database, code, files directory and other locations, and could compromise other services on the server or escalate their access.
It recommended that users consult with their hosting provider and if they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, to restore your website to a backup from before 15th October.
Ilia Kolochenko, CEO of High-Tech Bridge, praised Drupal for doing a “very good job of mitigating the risks” by quickly making people aware of them.
“As soon as a vulnerability in popular CMS platforms like Drupal is discovered, millions of crawlers operated by hackers (similar to Google bots) start searching for vulnerable websites,” he said.
“Once a victim is identified, their website gets hacked, patched and fitted with a backdoor. Within several days, access to the compromised website will be sold on the black market, more than likely to several different customers at the same time who each may well resell it several more times. Like this, your personal blog may be easily involved in a dozen different criminal offenses such as hosting illicit content, sending spam and infecting visitors, to name just a few.”